[OE-core] [PATCH 7/7] openssh: move read-only-rootfs setup in configuration snippet

Enrico Scholz via lists.openembedded.org Mon, 11 Mar 2024 10:19:18 -0700

From: Enrico Scholz <enrico.sch...@sigma-chemnitz.de>

This patch replaces the duplicate 'sshd_config_readonly' configuration
file and logic behind by an extra packages which is installed when
corresponding IMAGE_FEATURES are set.


**NOTE**: this causes a regression when host keys are added manually
to the image.  Users have to do

| OPENSSH_FEATURE_CONFIGURATION:remove = "openssh-config-read-only-rootfs"

in this case, or create a .bbappend for openssh-config which sets
RO_KEYDIR.

Signed-off-by: Enrico Scholz <enrico.sch...@sigma-chemnitz.de>
---
 meta/classes-recipe/core-image.bbclass              | 12 ++++++++++++
 meta/classes-recipe/rootfs-postcommands.bbclass     | 13 +------------
 meta/recipes-connectivity/openssh/openssh-config.bb |  7 +++++++
 meta/recipes-connectivity/openssh/openssh_9.6p1.bb  |  7 +------
 4 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/meta/classes-recipe/core-image.bbclass 
b/meta/classes-recipe/core-image.bbclass
index 10a2905d9a27..477b6ba47042 100644
--- a/meta/classes-recipe/core-image.bbclass
+++ b/meta/classes-recipe/core-image.bbclass
@@ -84,8 +84,20 @@ CORE_IMAGE_EXTRA_INSTALL ?= ""
 IMAGE_INSTALL ?= "${CORE_IMAGE_BASE_INSTALL}"
 
 OPENSSH_FEATURE_CONFIGURATION = "\
+    ${@'openssh-config-read-only-rootfs' if etc_is_readonly(d) else ''} \
     ${@bb.utils.contains_any('IMAGE_FEATURES', [ 'debug-tweaks', 
'allow-empty-password' ], 'openssh-config-allow-empty-password', '',d)} \
     ${@bb.utils.contains_any('IMAGE_FEATURES', [ 'debug-tweaks', 
'allow-root-login' ], 'openssh-config-allow-root-login', '',d)} \
 "
 
+def etc_is_readonly(d):
+    features = (d.getVar('IMAGE_FEATURES') or "").split()
+
+    if 'read-only-rootfs' not in features:
+        return False
+
+    if 'stateless-rootfs' in features:
+        return True
+
+    return 'overlayfs-etc' not in features
+
 inherit image
diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass 
b/meta/classes-recipe/rootfs-postcommands.bbclass
index 633f88de6ec8..ba6eb84e4055 100644
--- a/meta/classes-recipe/rootfs-postcommands.bbclass
+++ b/meta/classes-recipe/rootfs-postcommands.bbclass
@@ -188,21 +188,10 @@ read_only_rootfs_hook () {
        fi
 
        # If we're using openssh and the /etc/ssh directory has no 
pre-generated keys,
-       # we should configure openssh to use the configuration file 
/etc/ssh/sshd_config_readonly
-       # and the keys under /var/run/ssh.
+       # we should configure dropbear to use the keys under /var/lib/dropbear
        # If overlayfs-etc is used this is not done as /etc is treated as 
writable
        # If stateless-rootfs is enabled this is always done as we don't want 
to save keys then
        if ${@ 'true' if not bb.utils.contains('IMAGE_FEATURES', 
'overlayfs-etc', True, False, d) or bb.utils.contains('IMAGE_FEATURES', 
'stateless-rootfs', True, False, d) else 'false'}; then
-               if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
-                       if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
-                               echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}" >> 
${IMAGE_ROOTFS}/etc/default/ssh
-                               echo "SSHD_OPTS=" >> 
${IMAGE_ROOTFS}/etc/default/ssh
-                       else
-                               echo "SYSCONFDIR=\${SYSCONFDIR:-/var/run/ssh}" 
>> ${IMAGE_ROOTFS}/etc/default/ssh
-                               echo "SSHD_OPTS='-f 
/etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
-                       fi
-               fi
-
                # Also tweak the key location for dropbear in the same way.
                if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
                        if [ ! -e 
${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
diff --git a/meta/recipes-connectivity/openssh/openssh-config.bb 
b/meta/recipes-connectivity/openssh/openssh-config.bb
index d4ed661d8299..d2d0d9f4ad0d 100644
--- a/meta/recipes-connectivity/openssh/openssh-config.bb
+++ b/meta/recipes-connectivity/openssh/openssh-config.bb
@@ -9,6 +9,9 @@ SRC_URI = "\
     file://80-oe.conf \
 "
 
+RO_KEYDIR ??= "/var/run/ssh"
+KEY_ALGORITHMS ??= "rsa ecdsa ed25519"
+
 do_install() {
     d=${D}${sysconfdir}/ssh/sshd_config.d
     install -d "$d"
@@ -27,6 +30,10 @@ do_install() {
     if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
         echo "X11Forwarding yes" >> "$f"
     fi
+
+    for alg in ${KEY_ALGORITHMS}; do
+        printf 'HostKey %s/ssh_host_%s_key\n' '${RO_KEYDIR}' "$alg"
+    done > $d/60-read-only-rootfs.conf
 }
 
 python populate_packages:prepend() {
diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb 
b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
index e792b459d838..29bc132de8ef 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -121,11 +121,6 @@ do_install:append () {
 
        # Create config files for read-only rootfs
        install -d ${D}${sysconfdir}/ssh
-       install -m 644 ${D}${sysconfdir}/ssh/sshd_config 
${D}${sysconfdir}/ssh/sshd_config_readonly
-       sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
-       echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> 
${D}${sysconfdir}/ssh/sshd_config_readonly
-       echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> 
${D}${sysconfdir}/ssh/sshd_config_readonly
-       echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> 
${D}${sysconfdir}/ssh/sshd_config_readonly
 
        install -d ${D}${systemd_system_unitdir}
        if 
${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)};
 then
@@ -165,7 +160,7 @@ PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd 
${PN}-sftp ${PN}-misc $
 FILES:${PN}-scp = "${bindir}/scp.${BPN}"
 FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
 FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd 
${systemd_system_unitdir}"
-FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config 
${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd 
${sysconfdir}/pam.d/sshd"
+FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config 
${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
 FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
 FILES:${PN}-sftp = "${bindir}/sftp"
 FILES:${PN}-sftp-server = "${libexecdir}/sftp-server"
-- 
2.44.0

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196960): 
https://lists.openembedded.org/g/openembedded-core/message/196960
Mute This Topic: https://lists.openembedded.org/mt/104868010/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH 7/7] openssh: move read-only-rootfs setup in configuration snippet

Reply via email to