* [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional
@ 2020-11-13 14:19 Artur Wiebe
2020-11-13 17:46 ` Ladislav Michl
2020-11-16 9:36 ` [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional Michael Olbrich
0 siblings, 2 replies; 15+ messages in thread
From: Artur Wiebe @ 2020-11-13 14:19 UTC (permalink / raw)
To: ptxdist; +Cc: Artur Wiebe
How can openssh.postinst be disabled from within the rule files?
---
rules/openssh.in | 14 ++++++++++----
rules/openssh.make | 2 ++
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/rules/openssh.in b/rules/openssh.in
index 09f5c5555..f9d1affbd 100644
--- a/rules/openssh.in
+++ b/rules/openssh.in
@@ -6,10 +6,10 @@ menuconfig OPENSSH
select OPENSSL
select LIBC_CRYPT
select LIBC_UTIL
- select RC_ONCE if OPENSSH_SSHD && RUNTIME
+ select RC_ONCE if OPENSSH_SSHD_GENKEYS && RUNTIME
select BUSYBOX_START_STOP_DAEMON if OPENSSH_SSHD_STARTSCRIPT
select LIBSELINUX if GLOBAL_SELINUX
- select OPENSSH_KEYGEN if OPENSSH_SSHD
+ select OPENSSH_KEYGEN if OPENSSH_SSHD_GENKEYS
prompt "openssh "
help
secure shell client/server, an rlogin/rsh/rcp replacement
@@ -40,15 +40,21 @@ config OPENSSH_SSHD
config OPENSSH_SSHD_STARTSCRIPT
bool
default y
- depends on OPENSSH_SSHD
+ depends on OPENSSH_SSHD && INITMETHOD_BBINIT
prompt "install /etc/init.d/openssh"
config OPENSSH_SSHD_SYSTEMD_UNIT
bool
default y
- depends on OPENSSH_SSHD && SYSTEMD
+ depends on OPENSSH_SSHD && INITMETHOD_SYSTEMD
prompt "install systemd unit files for sshd"
+config OPENSSH_SSHD_GENKEYS
+ bool
+ default y
+ depends on OPENSSH_SSHD
+ prompt "generate sshd host keys at first boot"
+
config OPENSSH_SCP
bool "scp"
help
diff --git a/rules/openssh.make b/rules/openssh.make
index cae04487f..0da2f23cd 100644
--- a/rules/openssh.make
+++ b/rules/openssh.make
@@ -105,8 +105,10 @@ ifdef PTXCONF_OPENSSH_SSHD
/etc/ssh/moduli)
@$(call install_copy, openssh, 0, 0, 0755, -, \
/usr/sbin/sshd)
+ifdef OPENSSH_SSHD_GENKEYS
@$(call install_alternative, openssh, 0, 0, 0755, /etc/rc.once.d/openssh)
endif
+endif
ifdef PTXCONF_INITMETHOD_BBINIT
ifdef PTXCONF_OPENSSH_SSHD_STARTSCRIPT
--
2.29.2
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional
2020-11-13 14:19 [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional Artur Wiebe
@ 2020-11-13 17:46 ` Ladislav Michl
2020-11-14 20:34 ` Roland Hieber
2020-11-16 9:36 ` [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional Michael Olbrich
1 sibling, 1 reply; 15+ messages in thread
From: Ladislav Michl @ 2020-11-13 17:46 UTC (permalink / raw)
To: ptxdist; +Cc: Artur Wiebe
On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> How can openssh.postinst be disabled from within the rule files?
The very same could be achieved with symlink in your BSP:
projectroot/etc/rc.once.d/openssh -> /dev/null
> ---
> rules/openssh.in | 14 ++++++++++----
> rules/openssh.make | 2 ++
> 2 files changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/rules/openssh.in b/rules/openssh.in
> index 09f5c5555..f9d1affbd 100644
> --- a/rules/openssh.in
> +++ b/rules/openssh.in
> @@ -6,10 +6,10 @@ menuconfig OPENSSH
> select OPENSSL
> select LIBC_CRYPT
> select LIBC_UTIL
> - select RC_ONCE if OPENSSH_SSHD && RUNTIME
> + select RC_ONCE if OPENSSH_SSHD_GENKEYS && RUNTIME
> select BUSYBOX_START_STOP_DAEMON if OPENSSH_SSHD_STARTSCRIPT
> select LIBSELINUX if GLOBAL_SELINUX
> - select OPENSSH_KEYGEN if OPENSSH_SSHD
> + select OPENSSH_KEYGEN if OPENSSH_SSHD_GENKEYS
> prompt "openssh "
> help
> secure shell client/server, an rlogin/rsh/rcp replacement
> @@ -40,15 +40,21 @@ config OPENSSH_SSHD
> config OPENSSH_SSHD_STARTSCRIPT
> bool
> default y
> - depends on OPENSSH_SSHD
> + depends on OPENSSH_SSHD && INITMETHOD_BBINIT
> prompt "install /etc/init.d/openssh"
>
> config OPENSSH_SSHD_SYSTEMD_UNIT
> bool
> default y
> - depends on OPENSSH_SSHD && SYSTEMD
> + depends on OPENSSH_SSHD && INITMETHOD_SYSTEMD
> prompt "install systemd unit files for sshd"
>
> +config OPENSSH_SSHD_GENKEYS
> + bool
> + default y
> + depends on OPENSSH_SSHD
> + prompt "generate sshd host keys at first boot"
> +
> config OPENSSH_SCP
> bool "scp"
> help
> diff --git a/rules/openssh.make b/rules/openssh.make
> index cae04487f..0da2f23cd 100644
> --- a/rules/openssh.make
> +++ b/rules/openssh.make
> @@ -105,8 +105,10 @@ ifdef PTXCONF_OPENSSH_SSHD
> /etc/ssh/moduli)
> @$(call install_copy, openssh, 0, 0, 0755, -, \
> /usr/sbin/sshd)
> +ifdef OPENSSH_SSHD_GENKEYS
> @$(call install_alternative, openssh, 0, 0, 0755, /etc/rc.once.d/openssh)
> endif
> +endif
>
> ifdef PTXCONF_INITMETHOD_BBINIT
> ifdef PTXCONF_OPENSSH_SSHD_STARTSCRIPT
> --
> 2.29.2
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional
2020-11-13 17:46 ` Ladislav Michl
@ 2020-11-14 20:34 ` Roland Hieber
2020-11-15 10:06 ` Ladislav Michl
0 siblings, 1 reply; 15+ messages in thread
From: Roland Hieber @ 2020-11-14 20:34 UTC (permalink / raw)
To: Artur Wiebe; +Cc: ptxdist
On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > How can openssh.postinst be disabled from within the rule files?
>
> The very same could be achieved with symlink in your BSP:
> projectroot/etc/rc.once.d/openssh -> /dev/null
I don't understand why you want to disable this. The SSH server will not
start without host keys. Or do you want to install a static version of
the host keys generated at build time? If so, there should be an option
for this. But for now, in my opinion, disabling OPENSSH_SSHD_GENKEYS
will just lead to a broken SSH server.
- Roland
>
> > ---
> > rules/openssh.in | 14 ++++++++++----
> > rules/openssh.make | 2 ++
> > 2 files changed, 12 insertions(+), 4 deletions(-)
> >
> > diff --git a/rules/openssh.in b/rules/openssh.in
> > index 09f5c5555..f9d1affbd 100644
> > --- a/rules/openssh.in
> > +++ b/rules/openssh.in
> > @@ -6,10 +6,10 @@ menuconfig OPENSSH
> > select OPENSSL
> > select LIBC_CRYPT
> > select LIBC_UTIL
> > - select RC_ONCE if OPENSSH_SSHD && RUNTIME
> > + select RC_ONCE if OPENSSH_SSHD_GENKEYS && RUNTIME
> > select BUSYBOX_START_STOP_DAEMON if OPENSSH_SSHD_STARTSCRIPT
> > select LIBSELINUX if GLOBAL_SELINUX
> > - select OPENSSH_KEYGEN if OPENSSH_SSHD
> > + select OPENSSH_KEYGEN if OPENSSH_SSHD_GENKEYS
> > prompt "openssh "
> > help
> > secure shell client/server, an rlogin/rsh/rcp replacement
> > @@ -40,15 +40,21 @@ config OPENSSH_SSHD
> > config OPENSSH_SSHD_STARTSCRIPT
> > bool
> > default y
> > - depends on OPENSSH_SSHD
> > + depends on OPENSSH_SSHD && INITMETHOD_BBINIT
> > prompt "install /etc/init.d/openssh"
> >
> > config OPENSSH_SSHD_SYSTEMD_UNIT
> > bool
> > default y
> > - depends on OPENSSH_SSHD && SYSTEMD
> > + depends on OPENSSH_SSHD && INITMETHOD_SYSTEMD
> > prompt "install systemd unit files for sshd"
> >
> > +config OPENSSH_SSHD_GENKEYS
> > + bool
> > + default y
> > + depends on OPENSSH_SSHD
> > + prompt "generate sshd host keys at first boot"
> > +
> > config OPENSSH_SCP
> > bool "scp"
> > help
> > diff --git a/rules/openssh.make b/rules/openssh.make
> > index cae04487f..0da2f23cd 100644
> > --- a/rules/openssh.make
> > +++ b/rules/openssh.make
> > @@ -105,8 +105,10 @@ ifdef PTXCONF_OPENSSH_SSHD
> > /etc/ssh/moduli)
> > @$(call install_copy, openssh, 0, 0, 0755, -, \
> > /usr/sbin/sshd)
> > +ifdef OPENSSH_SSHD_GENKEYS
> > @$(call install_alternative, openssh, 0, 0, 0755, /etc/rc.once.d/openssh)
> > endif
> > +endif
> >
> > ifdef PTXCONF_INITMETHOD_BBINIT
> > ifdef PTXCONF_OPENSSH_SSHD_STARTSCRIPT
> > --
> > 2.29.2
> >
> >
> > _______________________________________________
> > ptxdist mailing list
> > ptxdist@pengutronix.de
> > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
--
Roland Hieber, Pengutronix e.K. | r.hieber@pengutronix.de |
Steuerwalder Str. 21 | https://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional
2020-11-14 20:34 ` Roland Hieber
@ 2020-11-15 10:06 ` Ladislav Michl
2020-11-15 17:08 ` Roland Hieber
0 siblings, 1 reply; 15+ messages in thread
From: Ladislav Michl @ 2020-11-15 10:06 UTC (permalink / raw)
To: Roland Hieber; +Cc: Artur Wiebe, ptxdist
On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote:
> On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > > How can openssh.postinst be disabled from within the rule files?
> >
> > The very same could be achieved with symlink in your BSP:
> > projectroot/etc/rc.once.d/openssh -> /dev/null
>
> I don't understand why you want to disable this. The SSH server will not
> start without host keys. Or do you want to install a static version of
> the host keys generated at build time?
Yes, keys are static, generated at build time. Root filesystem is
read-only.
> If so, there should be an option for this. But for now, in my opinion,
> disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server.
As this is easy to solve at BSP level I never thought it could
be a thing :)
ladis
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional
2020-11-15 10:06 ` Ladislav Michl
@ 2020-11-15 17:08 ` Roland Hieber
2020-11-16 9:36 ` Michael Olbrich
0 siblings, 1 reply; 15+ messages in thread
From: Roland Hieber @ 2020-11-15 17:08 UTC (permalink / raw)
To: Ladislav Michl; +Cc: Artur Wiebe, ptxdist
On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote:
> On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote:
> > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > > > How can openssh.postinst be disabled from within the rule files?
> > >
> > > The very same could be achieved with symlink in your BSP:
> > > projectroot/etc/rc.once.d/openssh -> /dev/null
> >
> > I don't understand why you want to disable this. The SSH server will not
> > start without host keys. Or do you want to install a static version of
> > the host keys generated at build time?
>
> Yes, keys are static, generated at build time. Root filesystem is
> read-only.
>
> > If so, there should be an option for this. But for now, in my opinion,
> > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server.
>
> As this is easy to solve at BSP level I never thought it could
> be a thing :)
OK, but at least I would mention it in the kconfig help text. The
openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via
install_alternative if this option is disabled.
- Roland
--
Roland Hieber, Pengutronix e.K. | r.hieber@pengutronix.de |
Steuerwalder Str. 21 | https://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional
2020-11-15 17:08 ` Roland Hieber
@ 2020-11-16 9:36 ` Michael Olbrich
2020-11-16 9:45 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? [PATCH] DRAFT:?==?utf-8?q? " Artur Wiebe
0 siblings, 1 reply; 15+ messages in thread
From: Michael Olbrich @ 2020-11-16 9:36 UTC (permalink / raw)
To: ptxdist
On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote:
> On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote:
> > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote:
> > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > > > > How can openssh.postinst be disabled from within the rule files?
> > > >
> > > > The very same could be achieved with symlink in your BSP:
> > > > projectroot/etc/rc.once.d/openssh -> /dev/null
> > >
> > > I don't understand why you want to disable this. The SSH server will not
> > > start without host keys. Or do you want to install a static version of
> > > the host keys generated at build time?
> >
> > Yes, keys are static, generated at build time. Root filesystem is
> > read-only.
> >
> > > If so, there should be an option for this. But for now, in my opinion,
> > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server.
> >
> > As this is easy to solve at BSP level I never thought it could
> > be a thing :)
>
> OK, but at least I would mention it in the kconfig help text. The
Ack.
> openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via
> install_alternative if this option is disabled.
No. Shared ssh server keys are a bad idea. That's not something I want to
merge upstream.
But there are other use-cases to not use rc-once, e.g. if the server keys
are generated during provisioning. And not selecting rc-once in this case
makes sense, so this is acceptable im general.
Michael
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional
2020-11-13 14:19 [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional Artur Wiebe
2020-11-13 17:46 ` Ladislav Michl
@ 2020-11-16 9:36 ` Michael Olbrich
1 sibling, 0 replies; 15+ messages in thread
From: Michael Olbrich @ 2020-11-16 9:36 UTC (permalink / raw)
To: ptxdist; +Cc: Artur Wiebe
On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> How can openssh.postinst be disabled from within the rule files?
> ---
> rules/openssh.in | 14 ++++++++++----
> rules/openssh.make | 2 ++
> 2 files changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/rules/openssh.in b/rules/openssh.in
> index 09f5c5555..f9d1affbd 100644
> --- a/rules/openssh.in
> +++ b/rules/openssh.in
> @@ -6,10 +6,10 @@ menuconfig OPENSSH
> select OPENSSL
> select LIBC_CRYPT
> select LIBC_UTIL
> - select RC_ONCE if OPENSSH_SSHD && RUNTIME
> + select RC_ONCE if OPENSSH_SSHD_GENKEYS && RUNTIME
> select BUSYBOX_START_STOP_DAEMON if OPENSSH_SSHD_STARTSCRIPT
> select LIBSELINUX if GLOBAL_SELINUX
> - select OPENSSH_KEYGEN if OPENSSH_SSHD
> + select OPENSSH_KEYGEN if OPENSSH_SSHD_GENKEYS
> prompt "openssh "
> help
> secure shell client/server, an rlogin/rsh/rcp replacement
> @@ -40,15 +40,21 @@ config OPENSSH_SSHD
> config OPENSSH_SSHD_STARTSCRIPT
> bool
> default y
> - depends on OPENSSH_SSHD
> + depends on OPENSSH_SSHD && INITMETHOD_BBINIT
unrelated.
> prompt "install /etc/init.d/openssh"
>
> config OPENSSH_SSHD_SYSTEMD_UNIT
> bool
> default y
> - depends on OPENSSH_SSHD && SYSTEMD
> + depends on OPENSSH_SSHD && INITMETHOD_SYSTEMD
this as well.
Michael
> prompt "install systemd unit files for sshd"
>
> +config OPENSSH_SSHD_GENKEYS
> + bool
> + default y
> + depends on OPENSSH_SSHD
> + prompt "generate sshd host keys at first boot"
> +
> config OPENSSH_SCP
> bool "scp"
> help
> diff --git a/rules/openssh.make b/rules/openssh.make
> index cae04487f..0da2f23cd 100644
> --- a/rules/openssh.make
> +++ b/rules/openssh.make
> @@ -105,8 +105,10 @@ ifdef PTXCONF_OPENSSH_SSHD
> /etc/ssh/moduli)
> @$(call install_copy, openssh, 0, 0, 0755, -, \
> /usr/sbin/sshd)
> +ifdef OPENSSH_SSHD_GENKEYS
> @$(call install_alternative, openssh, 0, 0, 0755, /etc/rc.once.d/openssh)
> endif
> +endif
>
> ifdef PTXCONF_INITMETHOD_BBINIT
> ifdef PTXCONF_OPENSSH_SSHD_STARTSCRIPT
> --
> 2.29.2
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] ?==?utf-8?q? ?==?utf-8?q? [PATCH] DRAFT:?==?utf-8?q? openssh: make host key generation optional
2020-11-16 9:36 ` Michael Olbrich
@ 2020-11-16 9:45 ` Artur Wiebe
2020-11-16 10:32 ` [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? " Michael Olbrich
0 siblings, 1 reply; 15+ messages in thread
From: Artur Wiebe @ 2020-11-16 9:45 UTC (permalink / raw)
To: ptxdist
On Monday, November 16, 2020 10:36 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote:
> > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote:
> > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote:
> > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > > > > > How can openssh.postinst be disabled from within the rule files?
> > > > >
> > > > > The very same could be achieved with symlink in your BSP:
> > > > > projectroot/etc/rc.once.d/openssh -> /dev/null
> > > >
> > > > I don't understand why you want to disable this. The SSH server will not
> > > > start without host keys. Or do you want to install a static version of
> > > > the host keys generated at build time?
> > >
> > > Yes, keys are static, generated at build time. Root filesystem is
> > > read-only.
> > >
> > > > If so, there should be an option for this. But for now, in my opinion,
> > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server.
> > >
> > > As this is easy to solve at BSP level I never thought it could
> > > be a thing :)
> >
> > OK, but at least I would mention it in the kconfig help text. The
>
> Ack.
>
> > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via
> > install_alternative if this option is disabled.
>
> No. Shared ssh server keys are a bad idea. That's not something I want to
> merge upstream.
This was also my concern...
>
> But there are other use-cases to not use rc-once, e.g. if the server keys
> are generated during provisioning. And not selecting rc-once in this case
> makes sense, so this is acceptable im general.
I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is not set.
>
> Michael
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? openssh: make host key generation optional
2020-11-16 9:45 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? [PATCH] DRAFT:?==?utf-8?q? " Artur Wiebe
@ 2020-11-16 10:32 ` Michael Olbrich
2020-11-16 15:09 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l Artur Wiebe
` (2 more replies)
0 siblings, 3 replies; 15+ messages in thread
From: Michael Olbrich @ 2020-11-16 10:32 UTC (permalink / raw)
To: ptxdist
On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote:
> On Monday, November 16, 2020 10:36 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote:
> > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote:
> > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote:
> > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > > > > > > How can openssh.postinst be disabled from within the rule files?
> > > > > >
> > > > > > The very same could be achieved with symlink in your BSP:
> > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null
> > > > >
> > > > > I don't understand why you want to disable this. The SSH server will not
> > > > > start without host keys. Or do you want to install a static version of
> > > > > the host keys generated at build time?
> > > >
> > > > Yes, keys are static, generated at build time. Root filesystem is
> > > > read-only.
> > > >
> > > > > If so, there should be an option for this. But for now, in my opinion,
> > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server.
> > > >
> > > > As this is easy to solve at BSP level I never thought it could
> > > > be a thing :)
> > >
> > > OK, but at least I would mention it in the kconfig help text. The
> >
> > Ack.
> >
> > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via
> > > install_alternative if this option is disabled.
> >
> > No. Shared ssh server keys are a bad idea. That's not something I want to
> > merge upstream.
>
> This was also my concern...
>
> >
> > But there are other use-cases to not use rc-once, e.g. if the server keys
> > are generated during provisioning. And not selecting rc-once in this case
> > makes sense, so this is acceptable im general.
>
> I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is not set.
Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but
we currently don't have a way to not install the postinst script. We could
do something like this (untested):
$(call install_script_replace, openssh, postinst, @RC_ONCE@, \
$(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#))
And in rules/openssh.postinst:
#!/bin/sh
@RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh
This way the script may be installed, but it will do nothing. If
PTXCONF_OPENSSH_SSHD_GENKEYS is disabled.
Michael
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l
2020-11-16 10:32 ` [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? " Michael Olbrich
@ 2020-11-16 15:09 ` Artur Wiebe
2020-11-17 6:55 ` [ptxdist] ?= ?==?utf-8?q? " Michael Olbrich
2020-11-16 15:26 ` [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? openssh: make host key generation optional Denis Osterland-Heim
2020-11-16 19:16 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l Artur Wiebe
2 siblings, 1 reply; 15+ messages in thread
From: Artur Wiebe @ 2020-11-16 15:09 UTC (permalink / raw)
To: ptxdist
Doesn't work... :(
On Monday, November 16, 2020 11:32 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote:
> > On Monday, November 16, 2020 10:36 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> > > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote:
> > > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote:
> > > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote:
> > > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> > > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > > > > > > > How can openssh.postinst be disabled from within the rule files?
> > > > > > >
> > > > > > > The very same could be achieved with symlink in your BSP:
> > > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null
> > > > > >
> > > > > > I don't understand why you want to disable this. The SSH server will not
> > > > > > start without host keys. Or do you want to install a static version of
> > > > > > the host keys generated at build time?
> > > > >
> > > > > Yes, keys are static, generated at build time. Root filesystem is
> > > > > read-only.
> > > > >
> > > > > > If so, there should be an option for this. But for now, in my opinion,
> > > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server.
> > > > >
> > > > > As this is easy to solve at BSP level I never thought it could
> > > > > be a thing :)
> > > >
> > > > OK, but at least I would mention it in the kconfig help text. The
> > >
> > > Ack.
> > >
> > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via
> > > > install_alternative if this option is disabled.
> > >
> > > No. Shared ssh server keys are a bad idea. That's not something I want to
> > > merge upstream.
> >
> > This was also my concern...
> >
> > >
> > > But there are other use-cases to not use rc-once, e.g. if the server keys
> > > are generated during provisioning. And not selecting rc-once in this case
> > > makes sense, so this is acceptable im general.
> >
> > I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is not set.
>
> Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but
> we currently don't have a way to not install the postinst script. We could
> do something like this (untested):
>
> $(call install_script_replace, openssh, postinst, @RC_ONCE@, \
> $(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#))
-----------------------------
target: openssh.targetinstall
-----------------------------
install_init: preparing for image creation of 'openssh'...
install_init: @ARCH@ -> x86_64
install_init: @PACKAGE@ -> openssh
install_init: @VERSION@ -> 8.3p1
install_init: @DEPENDS@ -> openssl, rc-once, zlib
install_init: preinst not available
install_init: postinst packaging: 'root/rules/openssh.postinst'
install_init: prerm not available
install_init: postrm not available
install_fixup: @PRIORITY@ -> optional ... done.
install_fixup: @SECTION@ -> base ... done.
install_fixup: @AUTHOR@ -> "Marc Kleine-Budde <mkl\@pengutronix.de>" ... done.
install_fixup: @DESCRIPTION@ -> missing ... done.
XPKG=openssh; FILE=postinst; PLACEHOLDER=@RC_ONCE@; VALUE=; CMD="install_script_replace"; if [ ! -f "/tmp/ptxdist.qS1dcP/openssh.targetinstall.$XPKG" ]; then echo; echo "Error: install_init was not called for package '$XPKG'!"; echo "This is probably caused by a typo in the package name of:"; echo "\$(call $CMD, $XPKG, ...)"; echo; exit 1; fi; echo "ptxd_install_script_replace '$FILE' '$PLACEHOLDER' '$VALUE'" >> "/mnt/root/platform-x86/state/$XPKG.cmds"
xpkg_finish: collecting license (BSD AND BSD-2-Clause AND BSD-3-Clause AND MIT AND Beerware AND ISC) ... done.
xpkg_finish: creating opkg package ...
ptxdist: error: ptxd_install_script_replace: 'dst' must be an absolute path!
xpkg_finish: failed.
>
> And in rules/openssh.postinst:
>
> #!/bin/sh
> @RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh
>
> This way the script may be installed, but it will do nothing. If
> PTXCONF_OPENSSH_SSHD_GENKEYS is disabled.
>
> Michael
>
> --
> Pengutronix e.K. | |
> Steuerwalder Str. 21 | http://www.pengutronix.de/ |
> 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
> Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? openssh: make host key generation optional
2020-11-16 10:32 ` [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? " Michael Olbrich
2020-11-16 15:09 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l Artur Wiebe
@ 2020-11-16 15:26 ` Denis Osterland-Heim
2020-11-16 19:16 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l Artur Wiebe
2 siblings, 0 replies; 15+ messages in thread
From: Denis Osterland-Heim @ 2020-11-16 15:26 UTC (permalink / raw)
To: ptxdist
Hi,
If I have a ro root, I disable rconce completely and implement something comparable for a data partition
and mount the device unique keys to /etc/ssh/.
rconce mount your ro root rw and stores something, at least the "done" marker file, to your root.
I assume you are fine with this changes and just want to keep the key over updates and therefor you should really consider a data/config partition.
You may also generate the keys in production and mount the config partition read-only to /etc/ssh/.
But do NOT deploy the same key to different devices.
Regards, Denis
Am Montag, den 16.11.2020, 11:32 +0100 schrieb Michael Olbrich:
> On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote:
> > On Monday, November 16, 2020 10:36 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> > > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote:
> > > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote:
> > > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote:
> > > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> > > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > > > > > > > How can openssh.postinst be disabled from within the rule files?
> > > > > > >
> > > > > > > The very same could be achieved with symlink in your BSP:
> > > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null
> > > > > >
> > > > > > I don't understand why you want to disable this. The SSH server will not
> > > > > > start without host keys. Or do you want to install a static version of
> > > > > > the host keys generated at build time?
> > > > >
> > > > > Yes, keys are static, generated at build time. Root filesystem is
> > > > > read-only.
> > > > >
> > > > > > If so, there should be an option for this. But for now, in my opinion,
> > > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server.
> > > > >
> > > > > As this is easy to solve at BSP level I never thought it could
> > > > > be a thing :)
> > > >
> > > > OK, but at least I would mention it in the kconfig help text. The
> > >
> > > Ack.
> > >
> > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via
> > > > install_alternative if this option is disabled.
> > >
> > > No. Shared ssh server keys are a bad idea. That's not something I want to
> > > merge upstream.
> >
> > This was also my concern...
> >
> > >
> > > But there are other use-cases to not use rc-once, e.g. if the server keys
> > > are generated during provisioning. And not selecting rc-once in this case
> > > makes sense, so this is acceptable im general.
> >
> > I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is not set.
>
> Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but
> we currently don't have a way to not install the postinst script. We could
> do something like this (untested):
>
> $(call install_script_replace, openssh, postinst, @RC_ONCE@, \
> $(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#))
>
> And in rules/openssh.postinst:
>
> #!/bin/sh
> @RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh
>
> This way the script may be installed, but it will do nothing. If
> PTXCONF_OPENSSH_SSHD_GENKEYS is disabled.
>
> Michael
>
Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315
________________________________
Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
https://www.diehl.com/group/de/transparenz-und-informationspflichten/
The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
- For general information on data protection and your respective rights please visit:
https://www.diehl.com/group/en/transparency-and-information-obligations/
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l
2020-11-16 10:32 ` [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? " Michael Olbrich
2020-11-16 15:09 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l Artur Wiebe
2020-11-16 15:26 ` [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? openssh: make host key generation optional Denis Osterland-Heim
@ 2020-11-16 19:16 ` Artur Wiebe
2020-11-17 11:24 ` [ptxdist] ?= ?==?utf-8?q? " Roland Hieber
2 siblings, 1 reply; 15+ messages in thread
From: Artur Wiebe @ 2020-11-16 19:16 UTC (permalink / raw)
To: ptxdist
Hi Michael,
I found a solution. What do you think?
Artur
On Monday, November 16, 2020 11:32 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote:
> > On Monday, November 16, 2020 10:36 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> > > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote:
> > > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote:
> > > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote:
> > > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> > > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > > > > > > > How can openssh.postinst be disabled from within the rule files?
> > > > > > >
> > > > > > > The very same could be achieved with symlink in your BSP:
> > > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null
> > > > > >
> > > > > > I don't understand why you want to disable this. The SSH server will not
> > > > > > start without host keys. Or do you want to install a static version of
> > > > > > the host keys generated at build time?
> > > > >
> > > > > Yes, keys are static, generated at build time. Root filesystem is
> > > > > read-only.
> > > > >
> > > > > > If so, there should be an option for this. But for now, in my opinion,
> > > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server.
> > > > >
> > > > > As this is easy to solve at BSP level I never thought it could
> > > > > be a thing :)
> > > >
> > > > OK, but at least I would mention it in the kconfig help text. The
> > >
> > > Ack.
> > >
> > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via
> > > > install_alternative if this option is disabled.
> > >
> > > No. Shared ssh server keys are a bad idea. That's not something I want to
> > > merge upstream.
> >
> > This was also my concern...
> >
> > >
> > > But there are other use-cases to not use rc-once, e.g. if the server keys
> > > are generated during provisioning. And not selecting rc-once in this case
> > > makes sense, so this is acceptable im general.
> >
> > I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is not set.
>
> Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but
> we currently don't have a way to not install the postinst script. We could
> do something like this (untested):
>
> $(call install_script_replace, openssh, postinst, @RC_ONCE@, \
> $(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#))
>
> And in rules/openssh.postinst:
>
> #!/bin/sh
> @RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh
>
> This way the script may be installed, but it will do nothing. If
> PTXCONF_OPENSSH_SSHD_GENKEYS is disabled.
>
> Michael
>
> --
> Pengutronix e.K. | |
> Steuerwalder Str. 21 | http://www.pengutronix.de/ |
> 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
> Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] ?= ?==?utf-8?q? [PATCH]?==?utf-8?q? DRAFT:l
2020-11-16 15:09 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l Artur Wiebe
@ 2020-11-17 6:55 ` Michael Olbrich
0 siblings, 0 replies; 15+ messages in thread
From: Michael Olbrich @ 2020-11-17 6:55 UTC (permalink / raw)
To: ptxdist
On Mon, Nov 16, 2020 at 04:09:58PM +0100, Artur Wiebe wrote:
> Doesn't work... :(
Hmm, might be a bug in install_script_replace. It's not actually used in
any upstream package... I'll have a closer look.
Michael
> On Monday, November 16, 2020 11:32 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
>
> > On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote:
> > > On Monday, November 16, 2020 10:36 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> > > > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote:
> > > > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote:
> > > > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote:
> > > > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> > > > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > > > > > > > > How can openssh.postinst be disabled from within the rule files?
> > > > > > > >
> > > > > > > > The very same could be achieved with symlink in your BSP:
> > > > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null
> > > > > > >
> > > > > > > I don't understand why you want to disable this. The SSH server will not
> > > > > > > start without host keys. Or do you want to install a static version of
> > > > > > > the host keys generated at build time?
> > > > > >
> > > > > > Yes, keys are static, generated at build time. Root filesystem is
> > > > > > read-only.
> > > > > >
> > > > > > > If so, there should be an option for this. But for now, in my opinion,
> > > > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server.
> > > > > >
> > > > > > As this is easy to solve at BSP level I never thought it could
> > > > > > be a thing :)
> > > > >
> > > > > OK, but at least I would mention it in the kconfig help text. The
> > > >
> > > > Ack.
> > > >
> > > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via
> > > > > install_alternative if this option is disabled.
> > > >
> > > > No. Shared ssh server keys are a bad idea. That's not something I want to
> > > > merge upstream.
> > >
> > > This was also my concern...
> > >
> > > >
> > > > But there are other use-cases to not use rc-once, e.g. if the server keys
> > > > are generated during provisioning. And not selecting rc-once in this case
> > > > makes sense, so this is acceptable im general.
> > >
> > > I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is not set.
> >
> > Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but
> > we currently don't have a way to not install the postinst script. We could
> > do something like this (untested):
> >
> > $(call install_script_replace, openssh, postinst, @RC_ONCE@, \
> > $(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#))
>
> -----------------------------
> target: openssh.targetinstall
> -----------------------------
>
> install_init: preparing for image creation of 'openssh'...
> install_init: @ARCH@ -> x86_64
> install_init: @PACKAGE@ -> openssh
> install_init: @VERSION@ -> 8.3p1
> install_init: @DEPENDS@ -> openssl, rc-once, zlib
> install_init: preinst not available
> install_init: postinst packaging: 'root/rules/openssh.postinst'
> install_init: prerm not available
> install_init: postrm not available
> install_fixup: @PRIORITY@ -> optional ... done.
> install_fixup: @SECTION@ -> base ... done.
> install_fixup: @AUTHOR@ -> "Marc Kleine-Budde <mkl\@pengutronix.de>" ... done.
> install_fixup: @DESCRIPTION@ -> missing ... done.
> XPKG=openssh; FILE=postinst; PLACEHOLDER=@RC_ONCE@; VALUE=; CMD="install_script_replace"; if [ ! -f "/tmp/ptxdist.qS1dcP/openssh.targetinstall.$XPKG" ]; then echo; echo "Error: install_init was not called for package '$XPKG'!"; echo "This is probably caused by a typo in the package name of:"; echo "\$(call $CMD, $XPKG, ...)"; echo; exit 1; fi; echo "ptxd_install_script_replace '$FILE' '$PLACEHOLDER' '$VALUE'" >> "/mnt/root/platform-x86/state/$XPKG.cmds"
> xpkg_finish: collecting license (BSD AND BSD-2-Clause AND BSD-3-Clause AND MIT AND Beerware AND ISC) ... done.
> xpkg_finish: creating opkg package ...
>
>
> ptxdist: error: ptxd_install_script_replace: 'dst' must be an absolute path!
>
>
> xpkg_finish: failed.
>
> >
> > And in rules/openssh.postinst:
> >
> > #!/bin/sh
> > @RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh
> >
> > This way the script may be installed, but it will do nothing. If
> > PTXCONF_OPENSSH_SSHD_GENKEYS is disabled.
> >
> > Michael
> >
> > --
> > Pengutronix e.K. | |
> > Steuerwalder Str. 21 | http://www.pengutronix.de/ |
> > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
> > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
> >
> > _______________________________________________
> > ptxdist mailing list
> > ptxdist@pengutronix.de
> > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] ?= ?==?utf-8?q? [PATCH]?==?utf-8?q? DRAFT:l
2020-11-16 19:16 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l Artur Wiebe
@ 2020-11-17 11:24 ` Roland Hieber
2020-11-17 11:29 ` [ptxdist] ?= " Roland Hieber
0 siblings, 1 reply; 15+ messages in thread
From: Roland Hieber @ 2020-11-17 11:24 UTC (permalink / raw)
To: Artur Wiebe; +Cc: ptxdist
On Mon, Nov 16, 2020 at 08:16:32PM +0100, Artur Wiebe wrote:
> Hi Michael,
>
> I found a solution. What do you think?
Did you also intend to tell us your solution? :-)
- Roland
> Artur
>
>
> On Monday, November 16, 2020 11:32 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
>
> > On Mon, Nov 16, 2020 at 10:45:07AM +0100, Artur Wiebe wrote:
> > > On Monday, November 16, 2020 10:36 CET, Michael Olbrich <m.olbrich@pengutronix.de> wrote:
> > > > On Sun, Nov 15, 2020 at 06:08:56PM +0100, Roland Hieber wrote:
> > > > > On Sun, Nov 15, 2020 at 11:06:12AM +0100, Ladislav Michl wrote:
> > > > > > On Sat, Nov 14, 2020 at 09:34:47PM +0100, Roland Hieber wrote:
> > > > > > > On Fri, Nov 13, 2020 at 06:46:48PM +0100, Ladislav Michl wrote:
> > > > > > > > On Fri, Nov 13, 2020 at 03:19:55PM +0100, Artur Wiebe wrote:
> > > > > > > > > How can openssh.postinst be disabled from within the rule files?
> > > > > > > >
> > > > > > > > The very same could be achieved with symlink in your BSP:
> > > > > > > > projectroot/etc/rc.once.d/openssh -> /dev/null
> > > > > > >
> > > > > > > I don't understand why you want to disable this. The SSH server will not
> > > > > > > start without host keys. Or do you want to install a static version of
> > > > > > > the host keys generated at build time?
> > > > > >
> > > > > > Yes, keys are static, generated at build time. Root filesystem is
> > > > > > read-only.
> > > > > >
> > > > > > > If so, there should be an option for this. But for now, in my opinion,
> > > > > > > disabling OPENSSH_SSHD_GENKEYS will just lead to a broken SSH server.
> > > > > >
> > > > > > As this is easy to solve at BSP level I never thought it could
> > > > > > be a thing :)
> > > > >
> > > > > OK, but at least I would mention it in the kconfig help text. The
> > > >
> > > > Ack.
> > > >
> > > > > openssh recipe could also just pick up /etc/ssh/ssh_host_*_key via
> > > > > install_alternative if this option is disabled.
> > > >
> > > > No. Shared ssh server keys are a bad idea. That's not something I want to
> > > > merge upstream.
> > >
> > > This was also my concern...
> > >
> > > >
> > > > But there are other use-cases to not use rc-once, e.g. if the server keys
> > > > are generated during provisioning. And not selecting rc-once in this case
> > > > makes sense, so this is acceptable im general.
> > >
> > > I still need a way to disable openssh.postinst if OPENSSH_SSHD_GENKEYS is not set.
> >
> > Hmmm, right. In the BSP, a /dev/null symlinks works for this as well, but
> > we currently don't have a way to not install the postinst script. We could
> > do something like this (untested):
> >
> > $(call install_script_replace, openssh, postinst, @RC_ONCE@, \
> > $(call ptx/ifdef, PTXCONF_OPENSSH_SSHD_GENKEYS,,#))
> >
> > And in rules/openssh.postinst:
> >
> > #!/bin/sh
> > @RC_ONCE@$DESTDIR/usr/sbin/enable-rc-once openssh
> >
> > This way the script may be installed, but it will do nothing. If
> > PTXCONF_OPENSSH_SSHD_GENKEYS is disabled.
> >
> > Michael
> >
> > --
> > Pengutronix e.K. | |
> > Steuerwalder Str. 21 | http://www.pengutronix.de/ |
> > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
> > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
> >
> > _______________________________________________
> > ptxdist mailing list
> > ptxdist@pengutronix.de
> > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
--
Roland Hieber, Pengutronix e.K. | r.hieber@pengutronix.de |
Steuerwalder Str. 21 | https://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ptxdist] ?= [PATCH]?==?utf-8?q? DRAFT:l
2020-11-17 11:24 ` [ptxdist] ?= ?==?utf-8?q? " Roland Hieber
@ 2020-11-17 11:29 ` Roland Hieber
0 siblings, 0 replies; 15+ messages in thread
From: Roland Hieber @ 2020-11-17 11:29 UTC (permalink / raw)
To: Artur Wiebe; +Cc: ptxdist
On Tue, Nov 17, 2020 at 12:24:21PM +0100, Roland Hieber wrote:
> On Mon, Nov 16, 2020 at 08:16:32PM +0100, Artur Wiebe wrote:
> > Hi Michael,
> >
> > I found a solution. What do you think?
>
> Did you also intend to tell us your solution? :-)
Ah, now I see. Your mail read like you had forgotten an attachment, but
you were referring to a mail in a different thread, which I hadn't seen
yet.
See <20201116191113.239636-1-artur@4wiebe.de> (2020-11-16, Artur Wiebe: "[ptxdist] [PATCH] openssh: make host key generation optional")
- Roland
--
Roland Hieber, Pengutronix e.K. | r.hieber@pengutronix.de |
Steuerwalder Str. 21 | https://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2020-11-17 11:29 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-13 14:19 [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional Artur Wiebe
2020-11-13 17:46 ` Ladislav Michl
2020-11-14 20:34 ` Roland Hieber
2020-11-15 10:06 ` Ladislav Michl
2020-11-15 17:08 ` Roland Hieber
2020-11-16 9:36 ` Michael Olbrich
2020-11-16 9:45 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? [PATCH] DRAFT:?==?utf-8?q? " Artur Wiebe
2020-11-16 10:32 ` [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? " Michael Olbrich
2020-11-16 15:09 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l Artur Wiebe
2020-11-17 6:55 ` [ptxdist] ?= ?==?utf-8?q? " Michael Olbrich
2020-11-16 15:26 ` [ptxdist] ?= [PATCH] DRAFT:=?utf-8?q? openssh: make host key generation optional Denis Osterland-Heim
2020-11-16 19:16 ` [ptxdist] ?==?utf-8?q? ?==?utf-8?q? ?= [PATCH]?==?utf-8?q? DRAFT:l Artur Wiebe
2020-11-17 11:24 ` [ptxdist] ?= ?==?utf-8?q? " Roland Hieber
2020-11-17 11:29 ` [ptxdist] ?= " Roland Hieber
2020-11-16 9:36 ` [ptxdist] [PATCH] DRAFT: openssh: make host key generation optional Michael Olbrich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox