@@ -84,8 +84,20 @@ CORE_IMAGE_EXTRA_INSTALL ?= ""
IMAGE_INSTALL ?= "${CORE_IMAGE_BASE_INSTALL}"
OPENSSH_FEATURE_CONFIGURATION = "\
+ ${@'openssh-config-read-only-rootfs' if etc_is_readonly(d) else ''} \
${@bb.utils.contains_any('IMAGE_FEATURES', [ 'debug-tweaks', 'allow-empty-password' ], 'openssh-config-allow-empty-password', '',d)} \
${@bb.utils.contains_any('IMAGE_FEATURES', [ 'debug-tweaks', 'allow-root-login' ], 'openssh-config-allow-root-login', '',d)} \
"
+def etc_is_readonly(d):
+ features = (d.getVar('IMAGE_FEATURES') or "").split()
+
+ if 'read-only-rootfs' not in features:
+ return False
+
+ if 'stateless-rootfs' in features:
+ return True
+
+ return 'overlayfs-etc' not in features
+
inherit image
@@ -188,21 +188,10 @@ read_only_rootfs_hook () {
fi
# If we're using openssh and the /etc/ssh directory has no pre-generated keys,
- # we should configure openssh to use the configuration file /etc/ssh/sshd_config_readonly
- # and the keys under /var/run/ssh.
+ # we should configure dropbear to use the keys under /var/lib/dropbear
# If overlayfs-etc is used this is not done as /etc is treated as writable
# If stateless-rootfs is enabled this is always done as we don't want to save keys then
if ${@ 'true' if not bb.utils.contains('IMAGE_FEATURES', 'overlayfs-etc', True, False, d) or bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True, False, d) else 'false'}; then
- if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
- if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
- echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
- echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
- else
- echo "SYSCONFDIR=\${SYSCONFDIR:-/var/run/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
- echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
- fi
- fi
-
# Also tweak the key location for dropbear in the same way.
if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
@@ -9,6 +9,9 @@ SRC_URI = "\
file://80-oe.conf \
"
+RO_KEYDIR ??= "/var/run/ssh"
+KEY_ALGORITHMS ??= "rsa ecdsa ed25519"
+
do_install() {
d=${D}${sysconfdir}/ssh/sshd_config.d
install -d "$d"
@@ -27,6 +30,10 @@ do_install() {
if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
echo "X11Forwarding yes" >> "$f"
fi
+
+ for alg in ${KEY_ALGORITHMS}; do
+ printf 'HostKey %s/ssh_host_%s_key\n' '${RO_KEYDIR}' "$alg"
+ done > $d/60-read-only-rootfs.conf
}
python populate_packages:prepend() {
@@ -121,11 +121,6 @@ do_install:append () {
# Create config files for read-only rootfs
install -d ${D}${sysconfdir}/ssh
- install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
- sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
- echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
- echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
- echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
install -d ${D}${systemd_system_unitdir}
if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then
@@ -165,7 +160,7 @@ PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc $
FILES:${PN}-scp = "${bindir}/scp.${BPN}"
FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
-FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
+FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
FILES:${PN}-sftp = "${bindir}/sftp"
FILES:${PN}-sftp-server = "${libexecdir}/sftp-server"