summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorJoshua Watt <jpewhacker@gmail.com>2017-07-03 20:18:18 -0500
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-09-25 14:14:16 +0100
commitae32558a19ae3b3f175365dc0e10fa74a91e28ce (patch)
tree6f5476c59bf2c89c13100f6b2ccf6497bfcf02d2 /meta
parentedcf39820f94c84b29c95a0d7b16b8d36857e87b (diff)
downloadpoky-ae32558a19ae3b3f175365dc0e10fa74a91e28ce.tar.gz
openssh: Fix key generation with systemd
106b59d9 broke SSH host key generation when systemd and a read-only root file system are in use because there isn't a way for systemd to get the optional weak assigment of SYSCONFDIR from /etc/default/sshd and still provide a default value if it is not specified. Instead, move the logic for determining if keys need to be created to a helper script that both the SysV init script and the systemd unit file can reference. This does mean that the systemd unit file can't check for file existence to know if it should start the service, but it wasn't able to do that correctly anyway anymore. This should be a problem since the serivce is only run once per power cycle by systemd, and should exit quickly if the keys already exist (From OE-Core rev: 7e49c5879862253ae1b6a26535d07a2740a95798) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-connectivity/openssh/openssh/init69
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd_check_keys64
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service16
-rw-r--r--meta/recipes-connectivity/openssh/openssh_7.5p1.bb8
4 files changed, 76 insertions, 81 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/init b/meta/recipes-connectivity/openssh/openssh/init
index 386628afc8..34ba0f8460 100644
--- a/meta/recipes-connectivity/openssh/openssh/init
+++ b/meta/recipes-connectivity/openssh/openssh/init
@@ -19,25 +19,6 @@ fi
19[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh 19[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
20mkdir -p $SYSCONFDIR 20mkdir -p $SYSCONFDIR
21 21
22parse_sshd_opts() {
23 set -- ${SSHD_OPTS} --
24 sshd_config=/etc/ssh/sshd_config
25 while true ; do
26 case "$1" in
27 -f*) if [ "$1" = "-f" ] ; then
28 sshd_config="$2"
29 shift
30 else
31 sshd_config="${1#-f}"
32 fi
33 shift
34 ;;
35 --) shift; break;;
36 *) shift;;
37 esac
38 done
39}
40
41check_for_no_start() { 22check_for_no_start() {
42 # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists 23 # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
43 if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then 24 if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then
@@ -58,57 +39,13 @@ check_config() {
58 /usr/sbin/sshd -t $SSHD_OPTS || exit 1 39 /usr/sbin/sshd -t $SSHD_OPTS || exit 1
59} 40}
60 41
61check_keys() {
62 # parse location of keys
63 local HOST_KEY_RSA
64 local HOST_KEY_DSA
65 local HOST_KEY_ECDSA
66 local HOST_KEY_ED25519
67
68 parse_sshd_opts
69 HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
70 [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
71 [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
72 HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
73 [ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
74 [ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
75 HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
76 [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
77 [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
78 HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
79 [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
80 [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
81
82 # create keys if necessary
83 if [ ! -f $HOST_KEY_RSA ]; then
84 echo " generating ssh RSA key..."
85 mkdir -p $(dirname $HOST_KEY_RSA)
86 ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
87 fi
88 if [ ! -f $HOST_KEY_ECDSA ]; then
89 echo " generating ssh ECDSA key..."
90 mkdir -p $(dirname $HOST_KEY_ECDSA)
91 ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
92 fi
93 if [ ! -f $HOST_KEY_DSA ]; then
94 echo " generating ssh DSA key..."
95 mkdir -p $(dirname $HOST_KEY_DSA)
96 ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
97 fi
98 if [ ! -f $HOST_KEY_ED25519 ]; then
99 echo " generating ssh ED25519 key..."
100 mkdir -p $(dirname $HOST_KEY_ED25519)
101 ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519
102 fi
103}
104
105export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" 42export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
106 43
107case "$1" in 44case "$1" in
108 start) 45 start)
109 check_for_no_start 46 check_for_no_start
110 echo "Starting OpenBSD Secure Shell server: sshd" 47 echo "Starting OpenBSD Secure Shell server: sshd"
111 check_keys 48 @LIBEXECDIR@/sshd_check_keys
112 check_privsep_dir 49 check_privsep_dir
113 start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS 50 start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS
114 echo "done." 51 echo "done."
@@ -121,7 +58,7 @@ case "$1" in
121 58
122 reload|force-reload) 59 reload|force-reload)
123 check_for_no_start 60 check_for_no_start
124 check_keys 61 @LIBEXECDIR@/sshd_check_keys
125 check_config 62 check_config
126 echo -n "Reloading OpenBSD Secure Shell server's configuration" 63 echo -n "Reloading OpenBSD Secure Shell server's configuration"
127 start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd 64 start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd
@@ -129,7 +66,7 @@ case "$1" in
129 ;; 66 ;;
130 67
131 restart) 68 restart)
132 check_keys 69 @LIBEXECDIR@/sshd_check_keys
133 check_config 70 check_config
134 echo -n "Restarting OpenBSD Secure Shell server: sshd" 71 echo -n "Restarting OpenBSD Secure Shell server: sshd"
135 start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd 72 start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
new file mode 100644
index 0000000000..f5bba53ca3
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -0,0 +1,64 @@
1#! /bin/sh
2
3# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
4if test -f /etc/default/ssh; then
5 . /etc/default/ssh
6fi
7
8[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
9mkdir -p $SYSCONFDIR
10
11# parse sshd options
12set -- ${SSHD_OPTS} --
13sshd_config=/etc/ssh/sshd_config
14while true ; do
15 case "$1" in
16 -f*) if [ "$1" = "-f" ] ; then
17 sshd_config="$2"
18 shift
19 else
20 sshd_config="${1#-f}"
21 fi
22 shift
23 ;;
24 --) shift; break;;
25 *) shift;;
26 esac
27done
28
29# parse location of keys
30HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
31[ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
32[ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
33HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
34[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
35[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
36HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
37[ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
38[ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
39HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
40[ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
41[ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
42
43# create keys if necessary
44if [ ! -f $HOST_KEY_RSA ]; then
45 echo " generating ssh RSA key..."
46 mkdir -p $(dirname $HOST_KEY_RSA)
47 ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
48fi
49if [ ! -f $HOST_KEY_ECDSA ]; then
50 echo " generating ssh ECDSA key..."
51 mkdir -p $(dirname $HOST_KEY_ECDSA)
52 ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
53fi
54if [ ! -f $HOST_KEY_DSA ]; then
55 echo " generating ssh DSA key..."
56 mkdir -p $(dirname $HOST_KEY_DSA)
57 ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
58fi
59if [ ! -f $HOST_KEY_ED25519 ]; then
60 echo " generating ssh ED25519 key..."
61 mkdir -p $(dirname $HOST_KEY_ED25519)
62 ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519
63fi
64
diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
index 148e6ad63a..603c33787f 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
+++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
@@ -1,22 +1,8 @@
1[Unit] 1[Unit]
2Description=OpenSSH Key Generation 2Description=OpenSSH Key Generation
3RequiresMountsFor=/var /run 3RequiresMountsFor=/var /run
4ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key
5ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key
6ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key
7ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key
8ConditionPathExists=!/etc/ssh/ssh_host_rsa_key
9ConditionPathExists=!/etc/ssh/ssh_host_dsa_key
10ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key
11ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key
12 4
13[Service] 5[Service]
14Environment="SYSCONFDIR=/etc/ssh" 6ExecStart=@LIBEXECDIR@/sshd_check_keys
15EnvironmentFile=-/etc/default/ssh
16ExecStart=@BASE_BINDIR@/mkdir -p $SYSCONFDIR
17ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' -t rsa
18ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' -t dsa
19ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' -t ecdsa
20ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ed25519_key -N '' -t ed25519
21Type=oneshot 7Type=oneshot
22RemainAfterExit=yes 8RemainAfterExit=yes
diff --git a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
index e46b4c86ad..86ca6ff372 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
@@ -27,6 +27,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
27 file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \ 27 file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
28 file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ 28 file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
29 file://0001-openssh-Fix-syntax-error-on-x32.patch \ 29 file://0001-openssh-Fix-syntax-error-on-x32.patch \
30 file://sshd_check_keys \
30 " 31 "
31 32
32PAM_SRC_URI = "file://sshd" 33PAM_SRC_URI = "file://sshd"
@@ -120,7 +121,13 @@ do_install_append () {
120 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ 121 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
121 -e 's,@SBINDIR@,${sbindir},g' \ 122 -e 's,@SBINDIR@,${sbindir},g' \
122 -e 's,@BINDIR@,${bindir},g' \ 123 -e 's,@BINDIR@,${bindir},g' \
124 -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
123 ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service 125 ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service
126
127 sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
128 ${D}${sysconfdir}/init.d/sshd
129
130 install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
124} 131}
125 132
126do_install_ptest () { 133do_install_ptest () {
@@ -135,6 +142,7 @@ FILES_${PN}-scp = "${bindir}/scp.${BPN}"
135FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" 142FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
136FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system" 143FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system"
137FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" 144FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
145FILES_${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
138FILES_${PN}-sftp = "${bindir}/sftp" 146FILES_${PN}-sftp = "${bindir}/sftp"
139FILES_${PN}-sftp-server = "${libexecdir}/sftp-server" 147FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
140FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" 148FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"