[OE-core] [PATCH] openssh: fix wrong volatile dir for sshd host keys on read-only rootfs
Andre McCurdy
armccurdy at gmail.com
Fri Aug 17 05:33:33 UTC 2018
On Wed, Aug 15, 2018 at 11:26 PM, Martin Hundebøll <martin at geanix.com> wrote:
> Hi Andre,
>
> On 15/08/2018 21.47, Andre McCurdy wrote:
>>
>> On Wed, Aug 15, 2018 at 4:59 AM, Martin Hundebøll <martin at geanix.com>
>> wrote:
>>>
>>> When the read-only-rootfs image feature is enabled, and openssh is
>>> installed into an image, the ssh daemon is reconfigured to use
>>> /var/run/ssh when generating host keys.
>>>
>>> Fix up the creation of the volatile dir to actually match what sshd is
>>> configured to.
>>>
>>> Signed-off-by: Martin Hundebøll <martin at geanix.com>
>>> ---
>>> meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd
>>> b/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd
>>> index a0d2af3c65..fcbc5ae9d5 100644
>>> --- a/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd
>>> +++ b/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd
>>> @@ -1,2 +1,2 @@
>>> -d root root 0755 /var/run/sshd none
>>> +d root root 0755 /var/run/ssh none
>>
>> This doesn't look right.
>>
>> /var/run/sshd is the directory used for privilege separation (grep for
>> --with-privsep-path ), so it's not correct to remove it.
>
> I see - didn't know about openssh chrooting to do privilege separation.
>
>> Note that sshd_check_keys script runs "mkdir -p $SYSCONFDIR" (ie
>> /var/run/ssh in the read-only rootfs case) at run time before creating
>> any keys.
>
> Yes, it works without the volatile folder; for openssh at least.
>
>> What exactly was the problem that this patch tries to fix?
>
> I am running a custom image with the read-only-rootfs feature enabled, and
> wanted to make the ssh host keys persistent across reboots.
That should be possible by following the steps described in:
http://git.openembedded.org/openembedded-core/commit/?id=106b59d9f96f70d133fa1421091ad280d27a5b6a
ie add something like the following to a .bbappend:
export SYSCONFDIR = "/data/ssh"
do_install_append () {
sed 's|HostKey /var/run/ssh|HostKey /data/ssh|g' -i
${D}${sysconfdir}/ssh/sshd_config_readonly
}
The openssh init script has changed a little since then, but I think
the same basic approach should still work (and if it doesn't we should
fix things so it does).
> At first, I tried adding a bind-mount entry to fstab from /data/ssh to
> /var/run/ssh, but the latter don't exist when mountall.sh is executed by RC
> (/data is the mountpoint of a persistent partition).
>
> I then looked at the volatile entries and noticed that it created the
> (empty) /var/run/sshd, so changed it to (wrongly) create /var/run/ssh
> instead.
>
> That wasn't enough though, since populate-volatiles.sh comes after
> mountall.sh.
>
> In the end I simply added a new entry to volatiles to create a symlink from
> /var/run/ssh to /data/ssh, which works for me :)
>
> Maybe I should change the patch to add a comment about the /var/run/sshd
> entry, so we don't end up doing mistakes like the debian-predictable-keys
> story.
>
> // Martin
More information about the Openembedded-core
mailing list