[OE-core] [PATCH] openssh: fix wrong volatile dir for sshd host keys on read-only rootfs
Joshua Watt
jpewhacker at gmail.com
Fri Aug 17 13:02:55 UTC 2018
On Thu, 2018-08-16 at 22:33 -0700, Andre McCurdy wrote:
> On Wed, Aug 15, 2018 at 11:26 PM, Martin Hundebøll <martin at geanix.com
> > wrote:
> > Hi Andre,
> >
> > On 15/08/2018 21.47, Andre McCurdy wrote:
> > >
> > > On Wed, Aug 15, 2018 at 4:59 AM, Martin Hundebøll <martin at geanix.
> > > com>
> > > wrote:
> > > >
> > > > When the read-only-rootfs image feature is enabled, and openssh
> > > > is
> > > > installed into an image, the ssh daemon is reconfigured to use
> > > > /var/run/ssh when generating host keys.
> > > >
> > > > Fix up the creation of the volatile dir to actually match what
> > > > sshd is
> > > > configured to.
> > > >
> > > > Signed-off-by: Martin Hundebøll <martin at geanix.com>
> > > > ---
> > > > meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd |
> > > > 2 +-
> > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/meta/recipes-
> > > > connectivity/openssh/openssh/volatiles.99_sshd
> > > > b/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd
> > > > index a0d2af3c65..fcbc5ae9d5 100644
> > > > --- a/meta/recipes-
> > > > connectivity/openssh/openssh/volatiles.99_sshd
> > > > +++ b/meta/recipes-
> > > > connectivity/openssh/openssh/volatiles.99_sshd
> > > > @@ -1,2 +1,2 @@
> > > > -d root root 0755 /var/run/sshd none
> > > > +d root root 0755 /var/run/ssh none
> > >
> > > This doesn't look right.
> > >
> > > /var/run/sshd is the directory used for privilege separation
> > > (grep for
> > > --with-privsep-path ), so it's not correct to remove it.
> >
> > I see - didn't know about openssh chrooting to do privilege
> > separation.
> >
> > > Note that sshd_check_keys script runs "mkdir -p $SYSCONFDIR" (ie
> > > /var/run/ssh in the read-only rootfs case) at run time before
> > > creating
> > > any keys.
> >
> > Yes, it works without the volatile folder; for openssh at least.
> >
> > > What exactly was the problem that this patch tries to fix?
> >
> > I am running a custom image with the read-only-rootfs feature
> > enabled, and
> > wanted to make the ssh host keys persistent across reboots.
>
> That should be possible by following the steps described in:
>
> http://git.openembedded.org/openembedded-core/commit/?id=106b59d9f9
> 6f70d133fa1421091ad280d27a5b6a
>
> ie add something like the following to a .bbappend:
>
> export SYSCONFDIR = "/data/ssh"
>
> do_install_append () {
> sed 's|HostKey /var/run/ssh|HostKey /data/ssh|g' -i
> ${D}${sysconfdir}/ssh/sshd_config_readonly
> }
>
> The openssh init script has changed a little since then, but I think
> the same basic approach should still work (and if it doesn't we
> should
> fix things so it does).
FWIW, we use volatiles to accomplish something similar:
# cat /etc/default/volatiles/99_sshd
d root root 0755 /data/var/run/ssh none
l root root 0755 /var/run/ssh /data/var/run/ssh
>
> > At first, I tried adding a bind-mount entry to fstab from /data/ssh
> > to
> > /var/run/ssh, but the latter don't exist when mountall.sh is
> > executed by RC
> > (/data is the mountpoint of a persistent partition).
> >
> > I then looked at the volatile entries and noticed that it created
> > the
> > (empty) /var/run/sshd, so changed it to (wrongly) create
> > /var/run/ssh
> > instead.
> >
> > That wasn't enough though, since populate-volatiles.sh comes after
> > mountall.sh.
> >
> > In the end I simply added a new entry to volatiles to create a
> > symlink from
> > /var/run/ssh to /data/ssh, which works for me :)
> >
> > Maybe I should change the patch to add a comment about the
> > /var/run/sshd
> > entry, so we don't end up doing mistakes like the debian-
> > predictable-keys
> > story.
> >
> > // Martin
--
Joshua Watt <JPEWhacker at gmail.com>
More information about the Openembedded-core
mailing list