[OE-core] [PATCH] openssh: fix wrong volatile dir for sshd host keys on read-only rootfs
Martin Hundebøll
martin at geanix.com
Thu Aug 16 06:26:29 UTC 2018
Hi Andre,
On 15/08/2018 21.47, Andre McCurdy wrote:
> On Wed, Aug 15, 2018 at 4:59 AM, Martin Hundebøll <martin at geanix.com> wrote:
>> When the read-only-rootfs image feature is enabled, and openssh is
>> installed into an image, the ssh daemon is reconfigured to use
>> /var/run/ssh when generating host keys.
>>
>> Fix up the creation of the volatile dir to actually match what sshd is
>> configured to.
>>
>> Signed-off-by: Martin Hundebøll <martin at geanix.com>
>> ---
>> meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd b/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd
>> index a0d2af3c65..fcbc5ae9d5 100644
>> --- a/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd
>> +++ b/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd
>> @@ -1,2 +1,2 @@
>> -d root root 0755 /var/run/sshd none
>> +d root root 0755 /var/run/ssh none
>
> This doesn't look right.
>
> /var/run/sshd is the directory used for privilege separation (grep for
> --with-privsep-path ), so it's not correct to remove it.
I see - didn't know about openssh chrooting to do privilege separation.
> Note that sshd_check_keys script runs "mkdir -p $SYSCONFDIR" (ie
> /var/run/ssh in the read-only rootfs case) at run time before creating
> any keys.
Yes, it works without the volatile folder; for openssh at least.
> What exactly was the problem that this patch tries to fix?
I am running a custom image with the read-only-rootfs feature enabled,
and wanted to make the ssh host keys persistent across reboots.
At first, I tried adding a bind-mount entry to fstab from /data/ssh to
/var/run/ssh, but the latter don't exist when mountall.sh is executed by
RC (/data is the mountpoint of a persistent partition).
I then looked at the volatile entries and noticed that it created the
(empty) /var/run/sshd, so changed it to (wrongly) create /var/run/ssh
instead.
That wasn't enough though, since populate-volatiles.sh comes after
mountall.sh.
In the end I simply added a new entry to volatiles to create a symlink
from /var/run/ssh to /data/ssh, which works for me :)
Maybe I should change the patch to add a comment about the /var/run/sshd
entry, so we don't end up doing mistakes like the
debian-predictable-keys story.
// Martin
More information about the Openembedded-core
mailing list