From 3489eec5529f52110d07f76f200f1ebe4926e741 Mon Sep 17 00:00:00 2001 From: Saikrishna Arcot Date: Wed, 20 Apr 2022 12:51:54 -0700 Subject: [PATCH 1/2] Remove SSH host keys after installing the custom version of sshd Signed-off-by: Saikrishna Arcot --- files/build_templates/sonic_debian_extension.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2 index a49e29406ee..924641393c0 100644 --- a/files/build_templates/sonic_debian_extension.j2 +++ b/files/build_templates/sonic_debian_extension.j2 @@ -329,6 +329,11 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in # Install custom-built openssh sshd sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/openssh-server_*.deb +# Remove sshd host keys, and will regenerate on first sshd start. This needs to be +# done again here because our custom version of sshd is being installed, which +# will regenerate the sshd host keys. +sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key* + {% if sonic_asic_platform == 'broadcom' %} # Install custom-built flashrom sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/flashrom_*.deb From ad5dfb91f5782bc2dc2e7386a49ee6ed614f4f18 Mon Sep 17 00:00:00 2001 From: Saikrishna Arcot Date: Thu, 21 Apr 2022 13:11:57 -0700 Subject: [PATCH 2/2] Use an override for for sshd instead of overwriting the service file Don't overwrite upstream's .service file, and instead use an override file for making sure the host key(s) are generated. Signed-off-by: Saikrishna Arcot --- build_debian.sh | 3 ++- files/sshd/override.conf | 4 ++++ files/sshd/sshd.service | 18 ------------------ 3 files changed, 6 insertions(+), 19 deletions(-) create mode 100644 files/sshd/override.conf delete mode 100644 files/sshd/sshd.service diff --git a/build_debian.sh b/build_debian.sh index b3d692cdb28..43f509b374c 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -407,7 +407,8 @@ sudo sed -i 's/LOAD_KEXEC=true/LOAD_KEXEC=false/' $FILESYSTEM_ROOT/etc/default/k ## Remove sshd host keys, and will regenerate on first sshd start sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key* sudo cp files/sshd/host-ssh-keygen.sh $FILESYSTEM_ROOT/usr/local/bin/ -sudo cp -f files/sshd/sshd.service $FILESYSTEM_ROOT/lib/systemd/system/ssh.service +sudo mkdir $FILESYSTEM_ROOT/etc/systemd/system/ssh.service.d +sudo cp files/sshd/override.conf $FILESYSTEM_ROOT/etc/systemd/system/ssh.service.d/override.conf # Config sshd # 1. Set 'UseDNS' to 'no' # 2. Configure sshd to close all SSH connetions after 15 minutes of inactivity diff --git a/files/sshd/override.conf b/files/sshd/override.conf new file mode 100644 index 00000000000..a1e63ce22b5 --- /dev/null +++ b/files/sshd/override.conf @@ -0,0 +1,4 @@ +[Service] +ExecStartPre= +ExecStartPre=/usr/local/bin/host-ssh-keygen.sh +ExecStartPre=/usr/sbin/sshd -t diff --git a/files/sshd/sshd.service b/files/sshd/sshd.service deleted file mode 100644 index 25d524171c6..00000000000 --- a/files/sshd/sshd.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=OpenBSD Secure Shell server -After=network.target auditd.service -ConditionPathExists=!/etc/ssh/sshd_not_to_be_run - -[Service] -EnvironmentFile=-/etc/default/ssh -ExecStartPre=-/usr/local/bin/host-ssh-keygen.sh -ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -ExecReload=/bin/kill -HUP $MAINPID -KillMode=process -Restart=on-failure -RuntimeDirectory=sshd -RuntimeDirectoryMode=0755 - -[Install] -WantedBy=multi-user.target -Alias=sshd.service