diff --git a/build_debian.sh b/build_debian.sh index b3d692cdb2..43f509b374 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -407,7 +407,8 @@ sudo sed -i 's/LOAD_KEXEC=true/LOAD_KEXEC=false/' $FILESYSTEM_ROOT/etc/default/k ## Remove sshd host keys, and will regenerate on first sshd start sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key* sudo cp files/sshd/host-ssh-keygen.sh $FILESYSTEM_ROOT/usr/local/bin/ -sudo cp -f files/sshd/sshd.service $FILESYSTEM_ROOT/lib/systemd/system/ssh.service +sudo mkdir $FILESYSTEM_ROOT/etc/systemd/system/ssh.service.d +sudo cp files/sshd/override.conf $FILESYSTEM_ROOT/etc/systemd/system/ssh.service.d/override.conf # Config sshd # 1. Set 'UseDNS' to 'no' # 2. Configure sshd to close all SSH connetions after 15 minutes of inactivity diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2 index a49e29406e..924641393c 100644 --- a/files/build_templates/sonic_debian_extension.j2 +++ b/files/build_templates/sonic_debian_extension.j2 @@ -329,6 +329,11 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in # Install custom-built openssh sshd sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/openssh-server_*.deb +# Remove sshd host keys, and will regenerate on first sshd start. This needs to be +# done again here because our custom version of sshd is being installed, which +# will regenerate the sshd host keys. +sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key* + {% if sonic_asic_platform == 'broadcom' %} # Install custom-built flashrom sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/flashrom_*.deb diff --git a/files/sshd/override.conf b/files/sshd/override.conf new file mode 100644 index 0000000000..a1e63ce22b --- /dev/null +++ b/files/sshd/override.conf @@ -0,0 +1,4 @@ +[Service] +ExecStartPre= +ExecStartPre=/usr/local/bin/host-ssh-keygen.sh +ExecStartPre=/usr/sbin/sshd -t diff --git a/files/sshd/sshd.service b/files/sshd/sshd.service deleted file mode 100644 index 25d524171c..0000000000 --- a/files/sshd/sshd.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=OpenBSD Secure Shell server -After=network.target auditd.service -ConditionPathExists=!/etc/ssh/sshd_not_to_be_run - -[Service] -EnvironmentFile=-/etc/default/ssh -ExecStartPre=-/usr/local/bin/host-ssh-keygen.sh -ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -ExecReload=/bin/kill -HUP $MAINPID -KillMode=process -Restart=on-failure -RuntimeDirectory=sshd -RuntimeDirectoryMode=0755 - -[Install] -WantedBy=multi-user.target -Alias=sshd.service