On Thu, 2024-03-14 at 11:00 +0000, Richard Purdie via lists.openembedded.org wrote: > On Mon, 2024-03-11 at 10:19 -0700, Enrico Scholz via > lists.openembedded.org wrote: > > To deal with system setups, sshd was configured in the following > > way: > > > > - sshd_config is shipped completely by OE and DISTRO_FEATURES > > (pam, > > x11) are patched in during do_install > > > > --> this is difficulty to maintain; e.g. sshd_config must be > > synchronized between OpenSSH releases and OE adaptations > > manually inserted > > > > - two different configuration files (sshd_config + > > sshd_config_readonly) > > are created; IMAGE_FEATURES decides which one is used and it is > > patched > > in a ROOTFS_COMMAND in the system > > > > --> this make it difficult for third party recipes to > > incorporate > > their changes (they have to go over both files) > > > > --> the readonly HostKey locations and algorithms are hardcoded > > which makes it difficult to place them e.g. on a persistent > > /opt partition and disable e.g. ecdsa > > > > - depending on IMAGE_FEATURES (empty passwords, root login), both > > files are patched by a ROOTFS_POSTCOMMAND > > > > --> these changes are lost when pkgmgmt is used for the image > > and > > openssh being updated > > > > > > The patchset: > > > > - reduces changes to sshd_config to > > > > | Include /etc/ssh/sshd_config.d/*.conf > > > > --> This is already the done in current recipe and most mainline > > Linux distributions are doing it > > > > - moves configuration in new openssh-config recipe which is a weak > > dependency of openssh (and can be replaced by another > > IMAGE_INSTALL) > > > > Recipe ships configuration as small snippets which might contain > > dynamically created content (e.g. 'UsePAM yes') > > > > - IMAGE_FEATURE based setup is done by creating subpackages with > > the corresponding options. These subpackages are added to > > FEATURE_PACKAGES_ssh-server-openssh > > > > - readonly rootfs setup has been enhanced by > > > > | RO_KEYDIR ??= "/var/run/ssh" > > | KEY_ALGORITHMS ??= "rsa ecdsa ed25519" > > > > parameters which can be overridden. > > > Thanks for sending this. I suspect something like this might be > desirable however unfortunately the timing is a little tricky as > we're > just past the feature freeze point for 5.0. > > I know people often want to push for the inclusion of things into > something like the LTS so I did put this through the automated > testing, > just to get an idea of the potential issues. > > The first run had lots of these warnings: > > https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/8649/steps/14/logs/warnings > > so I squashed a fix in for that. The second run had this: > > https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6390/steps/12/logs/stdio > > which suggests ssh connections into our image testing doesn't work. > It > is unclear why that is failing there but there were indications in > the > previous build that other ssh connections were working ok. It could > be > dropbear vs openssh at a guess. That build is still ongoing too so > there may be other issues. > > Anyway I just wanted to highlight the testing results and to say that > this is something we should think about but it will have to wait > until > after 5.0 releases. > > I haven't reviewed the patches in much detail, I mainly wanted to get > the automated testing results shared.
Some further related warnings: https://autobuilder.yoctoproject.org/typhoon/#/builders/23/builds/9031/steps/11/logs/warnings Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197108): https://lists.openembedded.org/g/openembedded-core/message/197108 Mute This Topic: https://lists.openembedded.org/mt/104868003/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
