Remove SSH host keys after installing the custom version of sshd (#10633)

* Remove SSH host keys after installing the custom version of sshd

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

* Use an override for for sshd instead of overwriting the service file

Don't overwrite upstream's .service file, and instead use an override
file for making sure the host key(s) are generated.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
This commit is contained in:
Saikrishna Arcot 2022-04-25 13:38:52 -04:00 committed by GitHub
parent 672db8d416
commit 64187a1b15
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 11 additions and 19 deletions

View File

@ -407,7 +407,8 @@ sudo sed -i 's/LOAD_KEXEC=true/LOAD_KEXEC=false/' $FILESYSTEM_ROOT/etc/default/k
## Remove sshd host keys, and will regenerate on first sshd start ## Remove sshd host keys, and will regenerate on first sshd start
sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key* sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key*
sudo cp files/sshd/host-ssh-keygen.sh $FILESYSTEM_ROOT/usr/local/bin/ sudo cp files/sshd/host-ssh-keygen.sh $FILESYSTEM_ROOT/usr/local/bin/
sudo cp -f files/sshd/sshd.service $FILESYSTEM_ROOT/lib/systemd/system/ssh.service sudo mkdir $FILESYSTEM_ROOT/etc/systemd/system/ssh.service.d
sudo cp files/sshd/override.conf $FILESYSTEM_ROOT/etc/systemd/system/ssh.service.d/override.conf
# Config sshd # Config sshd
# 1. Set 'UseDNS' to 'no' # 1. Set 'UseDNS' to 'no'
# 2. Configure sshd to close all SSH connetions after 15 minutes of inactivity # 2. Configure sshd to close all SSH connetions after 15 minutes of inactivity

View File

@ -329,6 +329,11 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
# Install custom-built openssh sshd # Install custom-built openssh sshd
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/openssh-server_*.deb sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/openssh-server_*.deb
# Remove sshd host keys, and will regenerate on first sshd start. This needs to be
# done again here because our custom version of sshd is being installed, which
# will regenerate the sshd host keys.
sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key*
{% if sonic_asic_platform == 'broadcom' %} {% if sonic_asic_platform == 'broadcom' %}
# Install custom-built flashrom # Install custom-built flashrom
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/flashrom_*.deb sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/flashrom_*.deb

4
files/sshd/override.conf Normal file
View File

@ -0,0 +1,4 @@
[Service]
ExecStartPre=
ExecStartPre=/usr/local/bin/host-ssh-keygen.sh
ExecStartPre=/usr/sbin/sshd -t

View File

@ -1,18 +0,0 @@
[Unit]
Description=OpenBSD Secure Shell server
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=-/usr/local/bin/host-ssh-keygen.sh
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
Alias=sshd.service