From: Enrico Scholz <enrico.sch...@sigma-chemnitz.de> This patch replaces the duplicate 'sshd_config_readonly' configuration file and logic behind by an extra packages which is installed when corresponding IMAGE_FEATURES are set.
**NOTE**: this causes a regression when host keys are added manually to the image. Users have to do | OPENSSH_FEATURE_CONFIGURATION:remove = "openssh-config-read-only-rootfs" in this case, or create a .bbappend for openssh-config which sets RO_KEYDIR. Signed-off-by: Enrico Scholz <enrico.sch...@sigma-chemnitz.de> --- meta/classes-recipe/core-image.bbclass | 12 ++++++++++++ meta/classes-recipe/rootfs-postcommands.bbclass | 13 +------------ meta/recipes-connectivity/openssh/openssh-config.bb | 7 +++++++ meta/recipes-connectivity/openssh/openssh_9.6p1.bb | 7 +------ 4 files changed, 21 insertions(+), 18 deletions(-) diff --git a/meta/classes-recipe/core-image.bbclass b/meta/classes-recipe/core-image.bbclass index 10a2905d9a27..477b6ba47042 100644 --- a/meta/classes-recipe/core-image.bbclass +++ b/meta/classes-recipe/core-image.bbclass @@ -84,8 +84,20 @@ CORE_IMAGE_EXTRA_INSTALL ?= "" IMAGE_INSTALL ?= "${CORE_IMAGE_BASE_INSTALL}" OPENSSH_FEATURE_CONFIGURATION = "\ + ${@'openssh-config-read-only-rootfs' if etc_is_readonly(d) else ''} \ ${@bb.utils.contains_any('IMAGE_FEATURES', [ 'debug-tweaks', 'allow-empty-password' ], 'openssh-config-allow-empty-password', '',d)} \ ${@bb.utils.contains_any('IMAGE_FEATURES', [ 'debug-tweaks', 'allow-root-login' ], 'openssh-config-allow-root-login', '',d)} \ " +def etc_is_readonly(d): + features = (d.getVar('IMAGE_FEATURES') or "").split() + + if 'read-only-rootfs' not in features: + return False + + if 'stateless-rootfs' in features: + return True + + return 'overlayfs-etc' not in features + inherit image diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass index 633f88de6ec8..ba6eb84e4055 100644 --- a/meta/classes-recipe/rootfs-postcommands.bbclass +++ b/meta/classes-recipe/rootfs-postcommands.bbclass @@ -188,21 +188,10 @@ read_only_rootfs_hook () { fi # If we're using openssh and the /etc/ssh directory has no pre-generated keys, - # we should configure openssh to use the configuration file /etc/ssh/sshd_config_readonly - # and the keys under /var/run/ssh. + # we should configure dropbear to use the keys under /var/lib/dropbear # If overlayfs-etc is used this is not done as /etc is treated as writable # If stateless-rootfs is enabled this is always done as we don't want to save keys then if ${@ 'true' if not bb.utils.contains('IMAGE_FEATURES', 'overlayfs-etc', True, False, d) or bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True, False, d) else 'false'}; then - if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then - if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then - echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh - echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh - else - echo "SYSCONFDIR=\${SYSCONFDIR:-/var/run/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh - echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh - fi - fi - # Also tweak the key location for dropbear in the same way. if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then diff --git a/meta/recipes-connectivity/openssh/openssh-config.bb b/meta/recipes-connectivity/openssh/openssh-config.bb index d4ed661d8299..d2d0d9f4ad0d 100644 --- a/meta/recipes-connectivity/openssh/openssh-config.bb +++ b/meta/recipes-connectivity/openssh/openssh-config.bb @@ -9,6 +9,9 @@ SRC_URI = "\ file://80-oe.conf \ " +RO_KEYDIR ??= "/var/run/ssh" +KEY_ALGORITHMS ??= "rsa ecdsa ed25519" + do_install() { d=${D}${sysconfdir}/ssh/sshd_config.d install -d "$d" @@ -27,6 +30,10 @@ do_install() { if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then echo "X11Forwarding yes" >> "$f" fi + + for alg in ${KEY_ALGORITHMS}; do + printf 'HostKey %s/ssh_host_%s_key\n' '${RO_KEYDIR}' "$alg" + done > $d/60-read-only-rootfs.conf } python populate_packages:prepend() { diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index e792b459d838..29bc132de8ef 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb @@ -121,11 +121,6 @@ do_install:append () { # Create config files for read-only rootfs install -d ${D}${sysconfdir}/ssh - install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly - sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly - echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly install -d ${D}${systemd_system_unitdir} if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then @@ -165,7 +160,7 @@ PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc $ FILES:${PN}-scp = "${bindir}/scp.${BPN}" FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config" FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}" -FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" +FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd" FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys" FILES:${PN}-sftp = "${bindir}/sftp" FILES:${PN}-sftp-server = "${libexecdir}/sftp-server" -- 2.44.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#196960): https://lists.openembedded.org/g/openembedded-core/message/196960 Mute This Topic: https://lists.openembedded.org/mt/104868010/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-