Re: [PATCH 9/9] Generate ssh keys at rootfs creation time in case of a read-only rootfs

[Phil Blundell <pb@pbcl.net>]

On Fri, 2013-07-26 at 11:28 +0200, Martin Jansa wrote:
> On Fri, Jul 26, 2013 at 03:39:36PM +0800, Qi.Chen@windriver.com wrote:
> > From: Chen Qi <Qi.Chen@windriver.com>
> > 
> > To avoid generating ssh keys every time a system with read-only rootfs
> > starts, we generate ssh keys at rootfs creation time.
> > 
> > This change only has effect for systems with read-only rootfs.
> 
> I'm not sure if having the same keys on all devices installed from the
> same image is always desired behavior, imho it should be controlled by
> another variable, because some people want read-only rootfs and keys
> generated in some other write-able partition.

Agreed.  In fact, I suspect that most folks who would be happy with all
devices getting identical keys would want to go even further and have
the keys be pre-generated so they were the same in every version of the
image, rather than having them change every time the rootfs is
regenerated.  Otherwise you still get the "host key has changed" warning
whenever you install a new rootfs.

If we're going to add this "generate keys at rootfs time" thing as an
option then that's fine, but it needs to be configurable under control
of IMAGE_FEATURES and/or DISTRO_FEATURES and/or PACKAGECONFIG.

Some other observations on this patch:

- the subject line is in the wrong format
- there are quite a lot of changes to the openssh recipe in here, some
of which look a bit hokey.  For example, this change:

-PACKAGECONFIG ??= "tcp-wrappers"
+PACKAGECONFIG_class-target ??= "tcp-wrappers"

... is going to be a trap for the unwary and probably shouldn't be done
this way.

p.