[Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call

[Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call

[Danomi Manchego]

Since openssh-6.0, the ssh-keygen app has supported a -A option,
which creates any missing keys.  This frees us of having to add
new ssh-keygen invocations as new key types are introduced.  This
also frees us of having to know the default key names and locations.
So this patch replaces all the the init.d script invocations with
a single "ssh-keygen -A" call.

Note: the systemd service script *already* uses this option.

Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
---
 package/openssh/S50sshd |   34 ++--------------------------------
 1 file changed, 2 insertions(+), 32 deletions(-)

diff --git a/package/openssh/S50sshd b/package/openssh/S50sshd
index d3abf7c..65bdb90 100644
--- a/package/openssh/S50sshd
+++ b/package/openssh/S50sshd
@@ -6,38 +6,8 @@
 # Make sure the ssh-keygen progam exists
 [ -f /usr/bin/ssh-keygen ] || exit 0
 
-# Check for the SSH1 RSA key
-if [ ! -f /etc/ssh_host_key ] ; then
-	echo Generating RSA Key...
-	/usr/bin/ssh-keygen -t rsa1 -f /etc/ssh_host_key -C '' -N ''
-fi
-
-# Check for the SSH2 RSA key
-if [ ! -f /etc/ssh_host_rsa_key ] ; then
-	echo Generating RSA Key...
-	/usr/bin/ssh-keygen -t rsa -f /etc/ssh_host_rsa_key -C '' -N ''
-fi
-
-# Check for the SSH2 DSA key
-if [ ! -f /etc/ssh_host_dsa_key ] ; then
-	echo Generating DSA Key...
-	echo
-	/usr/bin/ssh-keygen -t dsa -f /etc/ssh_host_dsa_key -C '' -N ''
-fi
-
-# Check for the SSH2 ECDSA key
-if [ ! -f /etc/ssh_host_ecdsa_key ]; then
-	echo Generating ECDSA Key...
-	echo
-	/usr/bin/ssh-keygen -t ecdsa -f /etc/ssh_host_ecdsa_key -C '' -N ''
-fi
-
-# Check for the ed25519 key
-if [ ! -f /etc/ssh_host_ed25519_key ]; then
-	echo Generating ed25519 Key...
-	echo
-	/usr/bin/ssh-keygen -t ed25519 -f /etc/ssh_host_ed25519_key -C '' -N ''
-fi
+# Create any missing keys
+/usr/bin/ssh-keygen -A
 
 umask 077
 
-- 
1.7.9.5

[Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call

[Yann E. MORIN]

Danomi, All,

On 2014-08-02 21:21 -0400, Danomi Manchego spake thusly:
> Since openssh-6.0, the ssh-keygen app has supported a -A option,
> which creates any missing keys.  This frees us of having to add
> new ssh-keygen invocations as new key types are introduced.  This
> also frees us of having to know the default key names and locations.
> So this patch replaces all the the init.d script invocations with
> a single "ssh-keygen -A" call.
> 
> Note: the systemd service script *already* uses this option.
> 
> Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>

Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>

However, I have a comment about this key generation: it does not work
when the filesystem is read-only. That was already the case before your
patch, hence my Ack. But we should probably find a way to fix that one
way or the other.

One option would be to pre-generate the host keys at build-time. There
are pros abd cons with this, though:

  - pros: we can save the public keys and store them in the known_hosts
    file of the user. No confirmation at first connection, usefull
    during development;

  - cons: the image can't be realisticaly deployed to many targets,
    otherwise they would all have the same keys. Bad.

I don't have a better solution for now... :-/

Of course, we can also delegate to the user the reponsibility to ensure
that /etc *is* writable when openssh is installed (which we implicitly
do right now.)

Regards,
Yann E. MORIN.

> ---
>  package/openssh/S50sshd |   34 ++--------------------------------
>  1 file changed, 2 insertions(+), 32 deletions(-)
> 
> diff --git a/package/openssh/S50sshd b/package/openssh/S50sshd
> index d3abf7c..65bdb90 100644
> --- a/package/openssh/S50sshd
> +++ b/package/openssh/S50sshd
> @@ -6,38 +6,8 @@
>  # Make sure the ssh-keygen progam exists
>  [ -f /usr/bin/ssh-keygen ] || exit 0
>  
> -# Check for the SSH1 RSA key
> -if [ ! -f /etc/ssh_host_key ] ; then
> -	echo Generating RSA Key...
> -	/usr/bin/ssh-keygen -t rsa1 -f /etc/ssh_host_key -C '' -N ''
> -fi
> -
> -# Check for the SSH2 RSA key
> -if [ ! -f /etc/ssh_host_rsa_key ] ; then
> -	echo Generating RSA Key...
> -	/usr/bin/ssh-keygen -t rsa -f /etc/ssh_host_rsa_key -C '' -N ''
> -fi
> -
> -# Check for the SSH2 DSA key
> -if [ ! -f /etc/ssh_host_dsa_key ] ; then
> -	echo Generating DSA Key...
> -	echo
> -	/usr/bin/ssh-keygen -t dsa -f /etc/ssh_host_dsa_key -C '' -N ''
> -fi
> -
> -# Check for the SSH2 ECDSA key
> -if [ ! -f /etc/ssh_host_ecdsa_key ]; then
> -	echo Generating ECDSA Key...
> -	echo
> -	/usr/bin/ssh-keygen -t ecdsa -f /etc/ssh_host_ecdsa_key -C '' -N ''
> -fi
> -
> -# Check for the ed25519 key
> -if [ ! -f /etc/ssh_host_ed25519_key ]; then
> -	echo Generating ed25519 Key...
> -	echo
> -	/usr/bin/ssh-keygen -t ed25519 -f /etc/ssh_host_ed25519_key -C '' -N ''
> -fi
> +# Create any missing keys
> +/usr/bin/ssh-keygen -A
>  
>  umask 077
>  
> -- 
> 1.7.9.5
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call

[Thomas Petazzoni]

Dear Danomi Manchego,

On Sat,  2 Aug 2014 21:21:19 -0400, Danomi Manchego wrote:
> Since openssh-6.0, the ssh-keygen app has supported a -A option,
> which creates any missing keys.  This frees us of having to add
> new ssh-keygen invocations as new key types are introduced.  This
> also frees us of having to know the default key names and locations.
> So this patch replaces all the the init.d script invocations with
> a single "ssh-keygen -A" call.
> 
> Note: the systemd service script *already* uses this option.
> 
> Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>

Applied, thanks!

Thomsa
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call

[Danomi Manchego]

Yann,

On Sun, Aug 3, 2014 at 3:37 AM, Yann E. MORIN <yann.morin.1998@free.fr> wrote:
> Danomi, All,
>
> On 2014-08-02 21:21 -0400, Danomi Manchego spake thusly:
>> Since openssh-6.0, the ssh-keygen app has supported a -A option,
>> which creates any missing keys.  This frees us of having to add
>> new ssh-keygen invocations as new key types are introduced.  This
>> also frees us of having to know the default key names and locations.
>> So this patch replaces all the the init.d script invocations with
>> a single "ssh-keygen -A" call.
>>
>> Note: the systemd service script *already* uses this option.
>>
>> Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
>
> Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
>
> However, I have a comment about this key generation: it does not work
> when the filesystem is read-only. That was already the case before your
> patch, hence my Ack. But we should probably find a way to fix that one
> way or the other.
>
> One option would be to pre-generate the host keys at build-time. There
> are pros abd cons with this, though:
>
>   - pros: we can save the public keys and store them in the known_hosts
>     file of the user. No confirmation at first connection, usefull
>     during development;
>
>   - cons: the image can't be realisticaly deployed to many targets,
>     otherwise they would all have the same keys. Bad.
>
> I don't have a better solution for now... :-/
>
> Of course, we can also delegate to the user the reponsibility to ensure
> that /etc *is* writable when openssh is installed (which we implicitly
> do right now.)

I think this issue is not limited to openssh - there's other things
that want to occasionally save stuff to /etc, /var, even /root (e.g.
gstreamer plugins cache).  I suppose that efforts could be made to try
to patch/configure these locations to all be in one place (/var ?),
but that still assumes a writable directory.  So, unless we direct all
attempts to save state to a tmpfs, I think it always come back to
being the user's responsibility.

So for now I'm content to keep openssh as it is, rather than hunt down
all the places that might try to write to etc (, var, $HOME, ...).

Danomi -


> Regards,
> Yann E. MORIN.
>
>> ---
>>  package/openssh/S50sshd |   34 ++--------------------------------
>>  1 file changed, 2 insertions(+), 32 deletions(-)
>>
>> diff --git a/package/openssh/S50sshd b/package/openssh/S50sshd
>> index d3abf7c..65bdb90 100644
>> --- a/package/openssh/S50sshd
>> +++ b/package/openssh/S50sshd
>> @@ -6,38 +6,8 @@
>>  # Make sure the ssh-keygen progam exists
>>  [ -f /usr/bin/ssh-keygen ] || exit 0
>>
>> -# Check for the SSH1 RSA key
>> -if [ ! -f /etc/ssh_host_key ] ; then
>> -     echo Generating RSA Key...
>> -     /usr/bin/ssh-keygen -t rsa1 -f /etc/ssh_host_key -C '' -N ''
>> -fi
>> -
>> -# Check for the SSH2 RSA key
>> -if [ ! -f /etc/ssh_host_rsa_key ] ; then
>> -     echo Generating RSA Key...
>> -     /usr/bin/ssh-keygen -t rsa -f /etc/ssh_host_rsa_key -C '' -N ''
>> -fi
>> -
>> -# Check for the SSH2 DSA key
>> -if [ ! -f /etc/ssh_host_dsa_key ] ; then
>> -     echo Generating DSA Key...
>> -     echo
>> -     /usr/bin/ssh-keygen -t dsa -f /etc/ssh_host_dsa_key -C '' -N ''
>> -fi
>> -
>> -# Check for the SSH2 ECDSA key
>> -if [ ! -f /etc/ssh_host_ecdsa_key ]; then
>> -     echo Generating ECDSA Key...
>> -     echo
>> -     /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh_host_ecdsa_key -C '' -N ''
>> -fi
>> -
>> -# Check for the ed25519 key
>> -if [ ! -f /etc/ssh_host_ed25519_key ]; then
>> -     echo Generating ed25519 Key...
>> -     echo
>> -     /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh_host_ed25519_key -C '' -N ''
>> -fi
>> +# Create any missing keys
>> +/usr/bin/ssh-keygen -A
>>
>>  umask 077
>>
>> --
>> 1.7.9.5
>>
>> _______________________________________________
>> buildroot mailing list
>> buildroot at busybox.net
>> http://lists.busybox.net/mailman/listinfo/buildroot
>
> --
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> | +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> '------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call

[Thomas Petazzoni]

Dear Danomi Manchego,

On Sun, 3 Aug 2014 09:25:13 -0400, Danomi Manchego wrote:

> I think this issue is not limited to openssh - there's other things
> that want to occasionally save stuff to /etc, /var, even /root (e.g.
> gstreamer plugins cache).  I suppose that efforts could be made to try
> to patch/configure these locations to all be in one place (/var ?),
> but that still assumes a writable directory.  So, unless we direct all
> attempts to save state to a tmpfs, I think it always come back to
> being the user's responsibility.
> 
> So for now I'm content to keep openssh as it is, rather than hunt down
> all the places that might try to write to etc (, var, $HOME, ...).

Buildroot is normally supposed to support a read-only root filesystem,
and there are already several things being done to make this possible:

 * /etc/resolv.conf is a symbolic link to /tmp/resolv.conf
 * Most of the /var/<foo> directories are symbolic links to /tmp.
   Only /var/lib is not.
 * /tmp is mounted as tmpfs, so that it's read/write even if the rootfs
   is read only.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call

[Waldemar Brodkorb]

Hi,
Thomas Petazzoni wrote,

> Dear Danomi Manchego,
> 
> On Sun, 3 Aug 2014 09:25:13 -0400, Danomi Manchego wrote:
> 
> > I think this issue is not limited to openssh - there's other things
> > that want to occasionally save stuff to /etc, /var, even /root (e.g.
> > gstreamer plugins cache).  I suppose that efforts could be made to try
> > to patch/configure these locations to all be in one place (/var ?),
> > but that still assumes a writable directory.  So, unless we direct all
> > attempts to save state to a tmpfs, I think it always come back to
> > being the user's responsibility.
> > 
> > So for now I'm content to keep openssh as it is, rather than hunt down
> > all the places that might try to write to etc (, var, $HOME, ...).
> 
> Buildroot is normally supposed to support a read-only root filesystem,
> and there are already several things being done to make this possible:
> 
>  * /etc/resolv.conf is a symbolic link to /tmp/resolv.conf
>  * Most of the /var/<foo> directories are symbolic links to /tmp.
>    Only /var/lib is not.
>  * /tmp is mounted as tmpfs, so that it's read/write even if the rootfs
>    is read only.

In OpenADK is use cfgfs - configuration filesystem. It maintains
a tmpfs based /etc and let the user commit any changes via a
commandline tool to a partition on a block/mtd device.

Only changes are compressed via LZO and written to the maximum
16 MB cfgfs partition.
http://www.openadk.org/docs/html/manual.html#_cfgfs_configuration_file_system

It allows smooth updates without loosing device configuration data.

Any interest in porting it to buildroot?

best regards
 Waldemar

[Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call

[Danomi Manchego]

Thomas,

On Mon, Aug 4, 2014 at 4:24 AM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Dear Danomi Manchego,
>
> On Sun, 3 Aug 2014 09:25:13 -0400, Danomi Manchego wrote:
>
>> I think this issue is not limited to openssh - there's other things
>> that want to occasionally save stuff to /etc, /var, even /root (e.g.
>> gstreamer plugins cache).  I suppose that efforts could be made to try
>> to patch/configure these locations to all be in one place (/var ?),
>> but that still assumes a writable directory.  So, unless we direct all
>> attempts to save state to a tmpfs, I think it always come back to
>> being the user's responsibility.
>>
>> So for now I'm content to keep openssh as it is, rather than hunt down
>> all the places that might try to write to etc (, var, $HOME, ...).
>
> Buildroot is normally supposed to support a read-only root filesystem,
> and there are already several things being done to make this possible:
>
>  * /etc/resolv.conf is a symbolic link to /tmp/resolv.conf
>  * Most of the /var/<foo> directories are symbolic links to /tmp.
>    Only /var/lib is not.
>  * /tmp is mounted as tmpfs, so that it's read/write even if the rootfs
>    is read only.

So - should the openssh.mk be making symlinks of all the key files to
/tmp/$FILE?  That re-introduces the maintenance burden, but I'll make
a patch along those lines if there's interest.

Danomi -

[Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call

[Baruch Siach]

Hi Danomi,

On Mon, Aug 04, 2014 at 10:28:08AM -0400, Danomi Manchego wrote:
> On Mon, Aug 4, 2014 at 4:24 AM, Thomas Petazzoni
> <thomas.petazzoni@free-electrons.com> wrote:
> > On Sun, 3 Aug 2014 09:25:13 -0400, Danomi Manchego wrote:
> >> I think this issue is not limited to openssh - there's other things
> >> that want to occasionally save stuff to /etc, /var, even /root (e.g.
> >> gstreamer plugins cache).  I suppose that efforts could be made to try
> >> to patch/configure these locations to all be in one place (/var ?),
> >> but that still assumes a writable directory.  So, unless we direct all
> >> attempts to save state to a tmpfs, I think it always come back to
> >> being the user's responsibility.
> >>
> >> So for now I'm content to keep openssh as it is, rather than hunt down
> >> all the places that might try to write to etc (, var, $HOME, ...).
> >
> > Buildroot is normally supposed to support a read-only root filesystem,
> > and there are already several things being done to make this possible:
> >
> >  * /etc/resolv.conf is a symbolic link to /tmp/resolv.conf
> >  * Most of the /var/<foo> directories are symbolic links to /tmp.
> >    Only /var/lib is not.
> >  * /tmp is mounted as tmpfs, so that it's read/write even if the rootfs
> >    is read only.
> 
> So - should the openssh.mk be making symlinks of all the key files to
> /tmp/$FILE?  That re-introduces the maintenance burden, but I'll make
> a patch along those lines if there's interest.

I don't think so. SSH keys should be stored in a writeable AND persistent over 
reboot location. Storing them under /tmp (ephemeral tmpfs by default) would 
make the keys regenerate on every boot, which would defeat the whole purpose 
of having host keys in the first place.

baruch

-- 
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il -

[Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call

[Peter Korsgaard]

>>>>> "Waldemar" == Waldemar Brodkorb <wbx@openadk.org> writes:

Hi,

 > In OpenADK is use cfgfs - configuration filesystem. It maintains
 > a tmpfs based /etc and let the user commit any changes via a
 > commandline tool to a partition on a block/mtd device.

 > Only changes are compressed via LZO and written to the maximum
 > 16 MB cfgfs partition.
 > http://www.openadk.org/docs/html/manual.html#_cfgfs_configuration_file_system

Heh, I wrote something similar a few years ago:

http://git.korsgaard.com/cgi-bin/gitweb.cgi?p=cfg.git;a=summary

It simply stored .tar.gz's of the changed files.


 > It allows smooth updates without loosing device configuration data.

 > Any interest in porting it to buildroot?

We try hard to not enforce policy, so I wouldn't want to make cfgfs a
required package, but as an optional one it make sense. Please do.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/1] openssh: replace individual ssh-keygen calls with a single call

[Thomas Petazzoni]

Hello,

On Fri, 08 Aug 2014 22:03:31 +0200, Peter Korsgaard wrote:

>  > It allows smooth updates without loosing device configuration data.
> 
>  > Any interest in porting it to buildroot?
> 
> We try hard to not enforce policy, so I wouldn't want to make cfgfs a
> required package, but as an optional one it make sense. Please do.

Agreed. We clearly don't want people to be forced to use something such
as cfgfs, but it would definitely be useful to have that as an option.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com