summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndré Draszik <adraszik@tycoint.com>2017-06-09 14:38:14 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-06-12 15:08:31 +0100
commit00e83cb02954b61ecfa9f30f6779ec323b95197c (patch)
treef856ad642bb64bddea129e859437d316086bda26
parentbd2b33486e647c6e7f1351270d5bca4d300d18b5 (diff)
downloadpoky-00e83cb02954b61ecfa9f30f6779ec323b95197c.tar.gz
openssh: allow to override OpenSSL HostKeys when read-only-rootfs
With these changes it is possible to have a .bbappend that - sets SYSCONFDIR to some persistent storage - modifies SYSCONFDIR/sshd_config to use ssh host keys from the (writable) sysconfdir (From OE-Core rev: 106b59d9f96f70d133fa1421091ad280d27a5b6a) Signed-off-by: André Draszik <adraszik@tycoint.com> Reviewed-by: Stephane Ayotte <sayotte@tycoint.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/rootfs-postcommands.bbclass4
-rw-r--r--meta/recipes-connectivity/openssh/openssh/init46
2 files changed, 44 insertions, 6 deletions
diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
index 1d66a42953..78f7c55933 100644
--- a/meta/classes/rootfs-postcommands.bbclass
+++ b/meta/classes/rootfs-postcommands.bbclass
@@ -93,10 +93,10 @@ read_only_rootfs_hook () {
93 # and the keys under /var/run/ssh. 93 # and the keys under /var/run/ssh.
94 if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then 94 if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
95 if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then 95 if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
96 echo "SYSCONFDIR=/etc/ssh" >> ${IMAGE_ROOTFS}/etc/default/ssh 96 echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
97 echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh 97 echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
98 else 98 else
99 echo "SYSCONFDIR=/var/run/ssh" >> ${IMAGE_ROOTFS}/etc/default/ssh 99 echo "SYSCONFDIR=\${SYSCONFDIR:-/var/run/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
100 echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh 100 echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
101 fi 101 fi
102 fi 102 fi
diff --git a/meta/recipes-connectivity/openssh/openssh/init b/meta/recipes-connectivity/openssh/openssh/init
index 1f63725cc0..386628afc8 100644
--- a/meta/recipes-connectivity/openssh/openssh/init
+++ b/meta/recipes-connectivity/openssh/openssh/init
@@ -19,10 +19,24 @@ fi
19[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh 19[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
20mkdir -p $SYSCONFDIR 20mkdir -p $SYSCONFDIR
21 21
22HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key 22parse_sshd_opts() {
23HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key 23 set -- ${SSHD_OPTS} --
24HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key 24 sshd_config=/etc/ssh/sshd_config
25HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key 25 while true ; do
26 case "$1" in
27 -f*) if [ "$1" = "-f" ] ; then
28 sshd_config="$2"
29 shift
30 else
31 sshd_config="${1#-f}"
32 fi
33 shift
34 ;;
35 --) shift; break;;
36 *) shift;;
37 esac
38 done
39}
26 40
27check_for_no_start() { 41check_for_no_start() {
28 # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists 42 # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
@@ -45,21 +59,45 @@ check_config() {
45} 59}
46 60
47check_keys() { 61check_keys() {
62 # parse location of keys
63 local HOST_KEY_RSA
64 local HOST_KEY_DSA
65 local HOST_KEY_ECDSA
66 local HOST_KEY_ED25519
67
68 parse_sshd_opts
69 HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
70 [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
71 [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
72 HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
73 [ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
74 [ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
75 HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
76 [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
77 [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
78 HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
79 [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
80 [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
81
48 # create keys if necessary 82 # create keys if necessary
49 if [ ! -f $HOST_KEY_RSA ]; then 83 if [ ! -f $HOST_KEY_RSA ]; then
50 echo " generating ssh RSA key..." 84 echo " generating ssh RSA key..."
85 mkdir -p $(dirname $HOST_KEY_RSA)
51 ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa 86 ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
52 fi 87 fi
53 if [ ! -f $HOST_KEY_ECDSA ]; then 88 if [ ! -f $HOST_KEY_ECDSA ]; then
54 echo " generating ssh ECDSA key..." 89 echo " generating ssh ECDSA key..."
90 mkdir -p $(dirname $HOST_KEY_ECDSA)
55 ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa 91 ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
56 fi 92 fi
57 if [ ! -f $HOST_KEY_DSA ]; then 93 if [ ! -f $HOST_KEY_DSA ]; then
58 echo " generating ssh DSA key..." 94 echo " generating ssh DSA key..."
95 mkdir -p $(dirname $HOST_KEY_DSA)
59 ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa 96 ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
60 fi 97 fi
61 if [ ! -f $HOST_KEY_ED25519 ]; then 98 if [ ! -f $HOST_KEY_ED25519 ]; then
62 echo " generating ssh ED25519 key..." 99 echo " generating ssh ED25519 key..."
100 mkdir -p $(dirname $HOST_KEY_ED25519)
63 ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519 101 ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519
64 fi 102 fi
65} 103}