* Re: [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l
2020-11-16 10:32 ` [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? " Michael Olbrich
@ 2020-11-16 15:09 ` Artur Wiebe
2020-11-17 6:55 ` [ptxdist] ?= ?==?utf-8?q? " Michael Olbrich
2020-11-16 15:26 ` [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? openssh: make host key generation optional Denis Osterland-Heim
2020-11-16 19:16 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l Artur Wiebe
2 siblings, 1 reply; 15+ messages in thread
From: Artur Wiebe @ 2020-11-16 15:09 UTC (permalink / raw)
To: ptxdist
Doesn't work... :(
On Monday, November 16, 2020 11:32 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote:
> > On Monday, November 16, 2020 10:36 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> > > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote:
> > > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote:
> > > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote:
> > > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> > > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > > > > > > > How can openssh.postinst be disabled from within the rule files?
> > > > > > >
> > > > > > > The very same could be achieved with symlink in your BSP:
> > > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null
> > > > > >
> > > > > > I don't understand why you want to disable this. The SSH server will not
> > > > > > start without host keys. Or do you want to install a static version of
> > > > > > the host keys generated at build time?
> > > > >
> > > > > Yes, keys are static, generated at build time. Root filesystem is
> > > > > read-only.
> > > > >
> > > > > > If so, there should be an option for this. But for now, in my opinion,
> > > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server.
> > > > >
> > > > > As this is easy to solve at BSP level I never thought it could
> > > > > be a thing :)
> > > >
> > > > OK, but at least I would mention it in the kconfig help text. The
> > >
> > > Ack.
> > >
> > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via
> > > > install_alternative if this option is disabled.
> > >
> > > No. Shared ssh server keys are a bad idea. That's not something I want to
> > > merge upstream.
> >
> > This was also my concern...
> >
> > >
> > > But there are other use-cases to not use rc-once, e.g. if the server keys
> > > are generated during provisioning. And not selecting rc-once in this case
> > > makes sense, so this is acceptable im general.
> >
> > I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is not set.
>
> Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but
> we currently don't have a way to not install the postinst script. We could
> do something like this (untested):
>
> $(call install_script_replace, openssh, postinst, @RC_ONCE@, \
> $(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#))
-----------------------------
target: openssh.targetinstall
-----------------------------
install_init: preparing for image creation of 'openssh'...
install_init: @ARCH@ -> x86_64
install_init: @PACKAGE@ -> openssh
install_init: @VERSION@ -> 8.3p1
install_init: @DEPENDS@ -> openssl, rc-once, zlib
install_init: preinst not available
install_init: postinst packaging: 'root/rules/openssh.postinst'
install_init: prerm not available
install_init: postrm not available
install_fixup: @PRIORITY@ -> optional ... done.
install_fixup: @SECTION@ -> base ... done.
install_fixup: @AUTHOR@ -> "Marc Kleine-Budde <mkl\@pengutronix.de>" ... done.
install_fixup: @DESCRIPTION@ -> missing ... done.
XPKG=openssh; FILE=postinst; PLACEHOLDER=@RC_ONCE@; VALUE=; CMD="install_script_replace"; if [ ! -f "/tmp/ptxdist.qS1dcP/openssh.targetinstall.$XPKG" ]; then echo; echo "Error: install_init was not called for package '$XPKG'!"; echo "This is probably caused by a typo in the package name of:"; echo "\$(call $CMD, $XPKG, ...)"; echo; exit 1; fi; echo "ptxd_install_script_replace '$FILE' '$PLACEHOLDER' '$VALUE'" >> "/mnt/root/platform-x86/state/$XPKG.cmds"
xpkg_finish: collecting license (BSD AND BSD-2-Clause AND BSD-3-Clause AND MIT AND Beerware AND ISC) ... done.
xpkg_finish: creating opkg package ...
ptxdist: error: ptxd_install_script_replace: 'dst' must be an absolute path!
xpkg_finish: failed.
>
> And in rules/openssh.postinst:
>
> #!/bin/sh
> @RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh
>
> This way the script may be installed, but it will do nothing. If
> PTXCONF_OPENSSH_SSHD_GENKEYS is disabled.
>
> Michael
>
> --
> Pengutronix e.K. | |
> Steuerwalder Str. 21 | http://www.pengutronix.de/ |
> 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
> Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] ?= ?==?utf-8?q? [PATCH]?==?utf-8?q? DRAFT:l
2020-11-16 15:09 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l Artur Wiebe
@ 2020-11-17 6:55 ` Michael Olbrich
0 siblings, 0 replies; 15+ messages in thread
From: Michael Olbrich @ 2020-11-17 6:55 UTC (permalink / raw)
To: ptxdist
On Mon, Nov 16, 2020 at 04:09:58PM +0100, Artur Wiebe wrote:
> Doesn't work... :(
Hmm, might be a bug in install_script_replace. It's not actually used in
any upstream package... I'll have a closer look.
Michael
> On Monday, November 16, 2020 11:32 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
>
> > On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote:
> > > On Monday, November 16, 2020 10:36 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> > > > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote:
> > > > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote:
> > > > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote:
> > > > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> > > > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > > > > > > > > How can openssh.postinst be disabled from within the rule files?
> > > > > > > >
> > > > > > > > The very same could be achieved with symlink in your BSP:
> > > > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null
> > > > > > >
> > > > > > > I don't understand why you want to disable this. The SSH server will not
> > > > > > > start without host keys. Or do you want to install a static version of
> > > > > > > the host keys generated at build time?
> > > > > >
> > > > > > Yes, keys are static, generated at build time. Root filesystem is
> > > > > > read-only.
> > > > > >
> > > > > > > If so, there should be an option for this. But for now, in my opinion,
> > > > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server.
> > > > > >
> > > > > > As this is easy to solve at BSP level I never thought it could
> > > > > > be a thing :)
> > > > >
> > > > > OK, but at least I would mention it in the kconfig help text. The
> > > >
> > > > Ack.
> > > >
> > > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via
> > > > > install_alternative if this option is disabled.
> > > >
> > > > No. Shared ssh server keys are a bad idea. That's not something I want to
> > > > merge upstream.
> > >
> > > This was also my concern...
> > >
> > > >
> > > > But there are other use-cases to not use rc-once, e.g. if the server keys
> > > > are generated during provisioning. And not selecting rc-once in this case
> > > > makes sense, so this is acceptable im general.
> > >
> > > I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is not set.
> >
> > Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but
> > we currently don't have a way to not install the postinst script. We could
> > do something like this (untested):
> >
> > $(call install_script_replace, openssh, postinst, @RC_ONCE@, \
> > $(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#))
>
> -----------------------------
> target: openssh.targetinstall
> -----------------------------
>
> install_init: preparing for image creation of 'openssh'...
> install_init: @ARCH@ -> x86_64
> install_init: @PACKAGE@ -> openssh
> install_init: @VERSION@ -> 8.3p1
> install_init: @DEPENDS@ -> openssl, rc-once, zlib
> install_init: preinst not available
> install_init: postinst packaging: 'root/rules/openssh.postinst'
> install_init: prerm not available
> install_init: postrm not available
> install_fixup: @PRIORITY@ -> optional ... done.
> install_fixup: @SECTION@ -> base ... done.
> install_fixup: @AUTHOR@ -> "Marc Kleine-Budde <mkl\@pengutronix.de>" ... done.
> install_fixup: @DESCRIPTION@ -> missing ... done.
> XPKG=openssh; FILE=postinst; PLACEHOLDER=@RC_ONCE@; VALUE=; CMD="install_script_replace"; if [ ! -f "/tmp/ptxdist.qS1dcP/openssh.targetinstall.$XPKG" ]; then echo; echo "Error: install_init was not called for package '$XPKG'!"; echo "This is probably caused by a typo in the package name of:"; echo "\$(call $CMD, $XPKG, ...)"; echo; exit 1; fi; echo "ptxd_install_script_replace '$FILE' '$PLACEHOLDER' '$VALUE'" >> "/mnt/root/platform-x86/state/$XPKG.cmds"
> xpkg_finish: collecting license (BSD AND BSD-2-Clause AND BSD-3-Clause AND MIT AND Beerware AND ISC) ... done.
> xpkg_finish: creating opkg package ...
>
>
> ptxdist: error: ptxd_install_script_replace: 'dst' must be an absolute path!
>
>
> xpkg_finish: failed.
>
> >
> > And in rules/openssh.postinst:
> >
> > #!/bin/sh
> > @RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh
> >
> > This way the script may be installed, but it will do nothing. If
> > PTXCONF_OPENSSH_SSHD_GENKEYS is disabled.
> >
> > Michael
> >
> > --
> > Pengutronix e.K. | |
> > Steuerwalder Str. 21 | http://www.pengutronix.de/ |
> > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
> > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
> >
> > _______________________________________________
> > ptxdist mailing list
> > ptxdist@pengutronix.de
> > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? openssh: make host key generation optional
2020-11-16 10:32 ` [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? " Michael Olbrich
2020-11-16 15:09 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l Artur Wiebe
@ 2020-11-16 15:26 ` Denis Osterland-Heim
2020-11-16 19:16 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l Artur Wiebe
2 siblings, 0 replies; 15+ messages in thread
From: Denis Osterland-Heim @ 2020-11-16 15:26 UTC (permalink / raw)
To: ptxdist
Hi,
If I have a ro root, I disable rconce completely and implement something comparable for a data partition
and mount the device unique keys to /etc/ssh/.
rconce mount your ro root rw and stores something, at least the "done" marker file, to your root.
I assume you are fine with this changes and just want to keep the key over updates and therefor you should really consider a data/config partition.
You may also generate the keys in production and mount the config partition read-only to /etc/ssh/.
But do NOT deploy the same key to different devices.
Regards, Denis
Am Montag, den 16.11.2020, 11:32 +0100 schrieb Michael Olbrich:
> On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote:
> > On Monday, November 16, 2020 10:36 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> > > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote:
> > > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote:
> > > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote:
> > > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> > > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > > > > > > > How can openssh.postinst be disabled from within the rule files?
> > > > > > >
> > > > > > > The very same could be achieved with symlink in your BSP:
> > > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null
> > > > > >
> > > > > > I don't understand why you want to disable this. The SSH server will not
> > > > > > start without host keys. Or do you want to install a static version of
> > > > > > the host keys generated at build time?
> > > > >
> > > > > Yes, keys are static, generated at build time. Root filesystem is
> > > > > read-only.
> > > > >
> > > > > > If so, there should be an option for this. But for now, in my opinion,
> > > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server.
> > > > >
> > > > > As this is easy to solve at BSP level I never thought it could
> > > > > be a thing :)
> > > >
> > > > OK, but at least I would mention it in the kconfig help text. The
> > >
> > > Ack.
> > >
> > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via
> > > > install_alternative if this option is disabled.
> > >
> > > No. Shared ssh server keys are a bad idea. That's not something I want to
> > > merge upstream.
> >
> > This was also my concern...
> >
> > >
> > > But there are other use-cases to not use rc-once, e.g. if the server keys
> > > are generated during provisioning. And not selecting rc-once in this case
> > > makes sense, so this is acceptable im general.
> >
> > I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is not set.
>
> Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but
> we currently don't have a way to not install the postinst script. We could
> do something like this (untested):
>
> $(call install_script_replace, openssh, postinst, @RC_ONCE@, \
> $(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#))
>
> And in rules/openssh.postinst:
>
> #!/bin/sh
> @RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh
>
> This way the script may be installed, but it will do nothing. If
> PTXCONF_OPENSSH_SSHD_GENKEYS is disabled.
>
> Michael
>
Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315
________________________________
Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
https://www.diehl.com/group/de/transparenz-und-informationspflichten/
The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
- For general information on data protection and your respective rights please visit:
https://www.diehl.com/group/en/transparency-and-information-obligations/
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l
2020-11-16 10:32 ` [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? " Michael Olbrich
2020-11-16 15:09 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l Artur Wiebe
2020-11-16 15:26 ` [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? openssh: make host key generation optional Denis Osterland-Heim
@ 2020-11-16 19:16 ` Artur Wiebe
2020-11-17 11:24 ` [ptxdist] ?= ?==?utf-8?q? " Roland Hieber
2 siblings, 1 reply; 15+ messages in thread
From: Artur Wiebe @ 2020-11-16 19:16 UTC (permalink / raw)
To: ptxdist
Hi Michael,
I found a solution. What do you think?
Artur
On Monday, November 16, 2020 11:32 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote:
> > On Monday, November 16, 2020 10:36 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> > > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote:
> > > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote:
> > > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote:
> > > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> > > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > > > > > > > How can openssh.postinst be disabled from within the rule files?
> > > > > > >
> > > > > > > The very same could be achieved with symlink in your BSP:
> > > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null
> > > > > >
> > > > > > I don't understand why you want to disable this. The SSH server will not
> > > > > > start without host keys. Or do you want to install a static version of
> > > > > > the host keys generated at build time?
> > > > >
> > > > > Yes, keys are static, generated at build time. Root filesystem is
> > > > > read-only.
> > > > >
> > > > > > If so, there should be an option for this. But for now, in my opinion,
> > > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server.
> > > > >
> > > > > As this is easy to solve at BSP level I never thought it could
> > > > > be a thing :)
> > > >
> > > > OK, but at least I would mention it in the kconfig help text. The
> > >
> > > Ack.
> > >
> > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via
> > > > install_alternative if this option is disabled.
> > >
> > > No. Shared ssh server keys are a bad idea. That's not something I want to
> > > merge upstream.
> >
> > This was also my concern...
> >
> > >
> > > But there are other use-cases to not use rc-once, e.g. if the server keys
> > > are generated during provisioning. And not selecting rc-once in this case
> > > makes sense, so this is acceptable im general.
> >
> > I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is not set.
>
> Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but
> we currently don't have a way to not install the postinst script. We could
> do something like this (untested):
>
> $(call install_script_replace, openssh, postinst, @RC_ONCE@, \
> $(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#))
>
> And in rules/openssh.postinst:
>
> #!/bin/sh
> @RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh
>
> This way the script may be installed, but it will do nothing. If
> PTXCONF_OPENSSH_SSHD_GENKEYS is disabled.
>
> Michael
>
> --
> Pengutronix e.K. | |
> Steuerwalder Str. 21 | http://www.pengutronix.de/ |
> 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
> Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] ?= ?==?utf-8?q? [PATCH]?==?utf-8?q? DRAFT:l
2020-11-16 19:16 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l Artur Wiebe
@ 2020-11-17 11:24 ` Roland Hieber
2020-11-17 11:29 ` [ptxdist] ?= " Roland Hieber
0 siblings, 1 reply; 15+ messages in thread
From: Roland Hieber @ 2020-11-17 11:24 UTC (permalink / raw)
To: Artur Wiebe; +Cc: ptxdist
On Mon, Nov 16, 2020 at 08:16:32PM +0100, Artur Wiebe wrote:
> Hi Michael,
>
> I found a solution. What do you think?
Did you also intend to tell us your solution? :-)
- Roland
> Artur
>
>
> On Monday, November 16, 2020 11:32 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
>
> > On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote:
> > > On Monday, November 16, 2020 10:36 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> > > > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote:
> > > > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote:
> > > > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote:
> > > > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> > > > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > > > > > > > > How can openssh.postinst be disabled from within the rule files?
> > > > > > > >
> > > > > > > > The very same could be achieved with symlink in your BSP:
> > > > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null
> > > > > > >
> > > > > > > I don't understand why you want to disable this. The SSH server will not
> > > > > > > start without host keys. Or do you want to install a static version of
> > > > > > > the host keys generated at build time?
> > > > > >
> > > > > > Yes, keys are static, generated at build time. Root filesystem is
> > > > > > read-only.
> > > > > >
> > > > > > > If so, there should be an option for this. But for now, in my opinion,
> > > > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server.
> > > > > >
> > > > > > As this is easy to solve at BSP level I never thought it could
> > > > > > be a thing :)
> > > > >
> > > > > OK, but at least I would mention it in the kconfig help text. The
> > > >
> > > > Ack.
> > > >
> > > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via
> > > > > install_alternative if this option is disabled.
> > > >
> > > > No. Shared ssh server keys are a bad idea. That's not something I want to
> > > > merge upstream.
> > >
> > > This was also my concern...
> > >
> > > >
> > > > But there are other use-cases to not use rc-once, e.g. if the server keys
> > > > are generated during provisioning. And not selecting rc-once in this case
> > > > makes sense, so this is acceptable im general.
> > >
> > > I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is not set.
> >
> > Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but
> > we currently don't have a way to not install the postinst script. We could
> > do something like this (untested):
> >
> > $(call install_script_replace, openssh, postinst, @RC_ONCE@, \
> > $(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#))
> >
> > And in rules/openssh.postinst:
> >
> > #!/bin/sh
> > @RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh
> >
> > This way the script may be installed, but it will do nothing. If
> > PTXCONF_OPENSSH_SSHD_GENKEYS is disabled.
> >
> > Michael
> >
> > --
> > Pengutronix e.K. | |
> > Steuerwalder Str. 21 | http://www.pengutronix.de/ |
> > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
> > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
> >
> > _______________________________________________
> > ptxdist mailing list
> > ptxdist@pengutronix.de
> > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
--
Roland Hieber, Pengutronix e.K. | r.hieber@pengutronix.de |
Steuerwalder Str. 21 | https://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] ?= [PATCH]?==?utf-8?q? DRAFT:l
2020-11-17 11:24 ` [ptxdist] ?= ?==?utf-8?q? " Roland Hieber
@ 2020-11-17 11:29 ` Roland Hieber
0 siblings, 0 replies; 15+ messages in thread
From: Roland Hieber @ 2020-11-17 11:29 UTC (permalink / raw)
To: Artur Wiebe; +Cc: ptxdist
On Tue, Nov 17, 2020 at 12:24:21PM +0100, Roland Hieber wrote:
> On Mon, Nov 16, 2020 at 08:16:32PM +0100, Artur Wiebe wrote:
> > Hi Michael,
> >
> > I found a solution. What do you think?
>
> Did you also intend to tell us your solution? :-)
Ah, now I see. Your mail read like you had forgotten an attachment, but
you were referring to a mail in a different thread, which I hadn't seen
yet.
See <20201116191113.239636-1-artur@4wiebe.de> (2020-11-16, Artur Wiebe: "[ptxdist] [PATCH] openssh: make host key generation optional")
- Roland
--
Roland Hieber, Pengutronix e.K. | r.hieber@pengutronix.de |
Steuerwalder Str. 21 | https://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread