openssh: fix for read-only rootfs

If the rootfs is read-only and the ssh keys are not available at system
start-up, the init script will generate ssh keys into /etc/ssh, thus
causing a 'read-only file system' error.

In order for Yocto based image to work correctly for read-only rootfs,
we use the following logic for openssh.

If the rootfs is read-only and there are pre-generated keys under /etc/ssh,
we use the pre-generated keys. Note the pre-generated keys are mainly for
debugging or development purpose.
If the rootfs is read-only and there are no pre-generated keys under
/etc/ssh, we use /var/run/ssh as the location for ssh keys. That is, at
system boot-up, the generated ssh keys will put into /var/run/ssh.

[YOCTO #4887]

(From OE-Core rev: 2ed44745024f04aa4e00ddba3009153c6b47c8e9)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

3 files changed, 35 insertions, 8 deletions

diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 494664627d..116bd226ea 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -262,6 +262,18 @@ read_only_rootfs_hook () {
                 if [ -x ${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh ]; then
                         ${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh
                 fi
+                # If we're using openssh and the /etc/ssh directory has no pre-generated keys,
+                # we should configure openssh to use the configuration file /etc/ssh/sshd_config_readonly
+                # and the keys under /var/run/ssh.
+                if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
+                        if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
+                                echo "SYSCONFDIR=/etc/ssh" >> ${IMAGE_ROOTFS}/etc/default/ssh
+                                echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
+                        else
+                                echo "SYSCONFDIR=/var/run/ssh" >> ${IMAGE_ROOTFS}/etc/default/ssh
+                                echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
+                        fi
+                fi
         fi
 }
 
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/init b/meta/recipes-connectivity/openssh/openssh-6.2p2/init
index 6beec848df..12fb79bd7c 100644
--- a/meta/recipes-connectivity/openssh/openssh-6.2p2/init
+++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/init
@@ -6,14 +6,22 @@ set -e
 test -x /usr/sbin/sshd || exit 0
 ( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
 
+# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
 if test -f /etc/default/ssh; then
     . /etc/default/ssh
 fi
 
+[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
+mkdir -p $SYSCONFDIR
+
+HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
+HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
+HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
+
 check_for_no_start() {
     # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
-    if [ -e /etc/ssh/sshd_not_to_be_run ]; then 
-        echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)"
+    if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then
+        echo "OpenBSD Secure Shell server not in use ($SYSCONFDIR/sshd_not_to_be_run)"
         exit 0
     fi
 }
@@ -32,17 +40,17 @@ check_config() {
 
 check_keys() {
         # create keys if necessary
-        if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
+        if [ ! -f $HOST_KEY_RSA ]; then
                 echo "  generating ssh RSA key..."
-                ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
+                ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
         fi
-        if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then
+        if [ ! -f $HOST_KEY_ECDSA ]; then
                 echo "  generating ssh ECDSA key..."
-                ssh-keygen -q -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
+                ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
         fi
         if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
                 echo "  generating ssh DSA key..."
-                ssh-keygen -q -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
+                ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
         fi
 }
 
diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
index ab2eefb9bc..c76f9ac7ee 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
@@ -86,6 +86,13 @@ do_install_append () {
         install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
         rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
         rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
+        # Create config files for read-only rootfs
+        install -d ${D}${sysconfdir}/ssh
+        install -m 644 ${WORKDIR}/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
+        sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
+        echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+        echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+        echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
 }
 
 ALLOW_EMPTY_${PN} = "1"
@@ -94,7 +101,7 @@ PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc $
 FILES_${PN}-scp = "${bindir}/scp.${BPN}"
 FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
 FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd"
-FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config"
+FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly"
 FILES_${PN}-sftp = "${bindir}/sftp"
 FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
 FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"