diff mbox series

openssh: factor out sshd hostkey setup to separate function

Message ID 20240710210101.2634538-1-rasmus.villemoes@prevas.dk
State Accepted, archived
Commit 09dd5cceecfaa2046f7ed070690b000181723fd2
Headers show
Series openssh: factor out sshd hostkey setup to separate function | expand

Commit Message

Rasmus Villemoes July 10, 2024, 9:01 p.m. UTC 
From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>

Commit 0827c29566 (openssh: allow configuration of hostkey type) broke
our setup. We make use of the 'Include /etc/ssh/sshd_config.d/*.conf'
and put a hostkeys.conf file in there, configuring the types and
locations of the sshd host keys.

With that commit, we now get an extra "HostKey
/etc/ssh/ssh_host_ecdsa_key" line in the sshd_config. And while we
could avoid that by removing all hostkey-* items from PACKAGECONFIG,
other people providing their own sshd_config via a .bbappend now have
their HostKey settings unconditionally removed by the 'sed'
invocations, regardless of PACKAGECONFIG.

To make it easier for downstream layers and BSPs to define (and
preserve) their own logic for placement and type of sshd host keys,
factor out the new logic to a separate shell function. Downstream
layers can then simply override that by an empty function and keep the
behaviour they used to have.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
---
 .../openssh/openssh_9.7p1.bb                  | 48 ++++++++++---------
 1 file changed, 26 insertions(+), 22 deletions(-)
diff mbox series

Patch

diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb
index 69eade3ee7..4a08c0bd66 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb
@@ -113,6 +113,31 @@  do_compile_ptest() {
 	oe_runmake regress-binaries regress-unit-binaries
 }
 
+sshd_hostkey_setup() {
+	# Enable specific ssh host keys
+	sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config
+	if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
+		echo "HostKey /etc/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
+	fi
+	if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
+		echo "HostKey /etc/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
+	fi
+	if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
+		echo "HostKey /etc/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config
+	fi
+
+	sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
+	if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
+		echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+	fi
+	if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
+		echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+	fi
+	if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
+		echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+	fi
+}
+
 do_install:append () {
 	if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
 		install -D -m 0644 ${UNPACKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
@@ -131,31 +156,9 @@  do_install:append () {
 	install -m 644 ${UNPACKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
 	install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir}
 
-        # Enable specific ssh host keys
-	sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config
-	if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
-	    echo "HostKey /etc/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
-        fi
-	if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
-	    echo "HostKey /etc/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
-        fi
-	if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
-	    echo "HostKey /etc/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config
-        fi
-
 	# Create config files for read-only rootfs
 	install -d ${D}${sysconfdir}/ssh
 	install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
-	sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
-	if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
-	    echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
-        fi
-	if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
-	    echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
-        fi
-	if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
-	    echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
-        fi
 
 	install -d ${D}${systemd_system_unitdir}
 	if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then
@@ -181,6 +184,7 @@  do_install:append () {
 		${D}${sysconfdir}/init.d/sshd
 
 	install -D -m 0755 ${UNPACKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
+	sshd_hostkey_setup
 }
 
 do_install_ptest () {