From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 15 Oct 2021 15:22:55 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1mbNAl-0007Cs-I4 for lore@lore.pengutronix.de; Fri, 15 Oct 2021 15:22:55 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1mbNAl-00063z-1T; Fri, 15 Oct 2021 15:22:55 +0200 Received: from mail.thorsis.com ([92.198.35.195]) by metis.ext.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mbNAY-00062z-S1; Fri, 15 Oct 2021 15:22:43 +0200 Received: from localhost (localhost [127.0.0.1]) by mail.thorsis.com (Postfix) with ESMTP id EAB2AD8C; Fri, 15 Oct 2021 15:22:41 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mail.thorsis.com Received: from mail.thorsis.com ([127.0.0.1]) by localhost (mail.thorsis.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IlSBmrbi3Qk2; Fri, 15 Oct 2021 15:22:41 +0200 (CEST) Received: by mail.thorsis.com (Postfix, from userid 109) id CA2712947; Fri, 15 Oct 2021 15:22:41 +0200 (CEST) From: Alexander Dahl To: ptxdist@pengutronix.de Date: Fri, 15 Oct 2021 15:22:38 +0200 Message-ID: <2079639.0kxC3BAhfv@ada> In-Reply-To: <20211015125245.GD2239952@pengutronix.de> References: <20211011125401.30402-1-ada@thorsis.com> <20211015125245.GD2239952@pengutronix.de> X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.ext.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-2.6 required=4.0 tests=AWL,BAYES_00,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Subject: Re: [ptxdist] [RFC PATCH] rc-once: openssh: Do not overwrite existing keys X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Michael Olbrich , Marc Kleine-Budde , Alexander Stein MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false Hello Michael, Am Freitag, 15. Oktober 2021, 14:52:45 CEST schrieb Michael Olbrich: > On Mon, Oct 11, 2021 at 02:54:01PM +0200, Alexander Dahl wrote: > > When storing your keys not in rootfs but on a separate data partition > > (using symbolic links or overlay fs), keys are overwritten on each > > firmware upgrade which lets rc-once run again (which happens when using > > opkg upgrade/update or RAUC in an A/B scheme for example). > > > > Changing keys are at best annoying, but may be interpreted as an attack > > as well. > > This has come up before (I'm not sure if it was on this list or some other > channel). I'm not quite certain how to handle this. > > Someone may depend on the current behavior. I think it's rather unlikely so > I'll probably ignore that but we should keep it in mind. Yes, I thought about that. That's why I wanted to discuss it first. > I'm more concerned with broken keys caused by power failures or things like > that while the keys are created. So maybe a better check than just file > existence? > > > For dropbear the same behaviour was implemented with ac97e77eedf7 > > ("[dropbear] rc.once: only generate keys if they aren't present yet"). > > Marc applied that patch. I'm probably a bit more pedantic about stuff like > that :-). > > > Signed-off-by: Alexander Dahl > > --- > > > > projectroot/etc/rc.once.d/openssh | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/projectroot/etc/rc.once.d/openssh > > b/projectroot/etc/rc.once.d/openssh index 545586f07..595e28477 100644 > > --- a/projectroot/etc/rc.once.d/openssh > > +++ b/projectroot/etc/rc.once.d/openssh > > @@ -27,6 +27,7 @@ create_keys() { > > > > hostkeys="$(get_hostkeys)" || return > > > > for keyfile in $hostkeys; do > > > > + [ -e "$keyfile" ] && continue > > Maybe: > > [ -s "$keyfile" ] && ssh-keygen -l -f "$keyfile.pub" > /dev/null && > continue > > A non-empty private key file and a probably valid public key should be > sufficient to prevent issues with power failures, I think. It's a good idea to have a better check than just for file existence! We already had that empty file problem in the past. That would also be nice to have for the dropbear package. Not sure yet about that public key check, but I'll have a look into it. Thanks for your feedback, I'll send a v2 with improved checks later. Greets Alex > > Michael > > > create_key "$keyfile" || return > > > > done > > > > } > > > > base-commit: 51994d1b518323d2975491090a2452d34b1a39f9 -- _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de