From 1108e7dea0abcbc3a56017eef32db105b6de8214 Mon Sep 17 00:00:00 2001
From: Saikrishna Arcot <sarcot@microsoft.com>
Date: Mon, 25 Apr 2022 13:38:52 -0400
Subject: [PATCH] Remove SSH host keys after installing the custom version of
 sshd (#10633)

* Remove SSH host keys after installing the custom version of sshd

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>

* Use an override for for sshd instead of overwriting the service file

Don't overwrite upstream's .service file, and instead use an override
file for making sure the host key(s) are generated.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
---
 build_debian.sh                                |  3 ++-
 .../build_templates/sonic_debian_extension.j2  |  5 +++++
 files/sshd/override.conf                       |  4 ++++
 files/sshd/sshd.service                        | 18 ------------------
 4 files changed, 11 insertions(+), 19 deletions(-)
 create mode 100644 files/sshd/override.conf
 delete mode 100644 files/sshd/sshd.service

diff --git a/build_debian.sh b/build_debian.sh
index 9dccbbd0dbb..b5b0ad3da1d 100755
--- a/build_debian.sh
+++ b/build_debian.sh
@@ -373,7 +373,8 @@ sudo sed -i 's/LOAD_KEXEC=true/LOAD_KEXEC=false/' $FILESYSTEM_ROOT/etc/default/k
 ## Remove sshd host keys, and will regenerate on first sshd start
 sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key*
 sudo cp files/sshd/host-ssh-keygen.sh $FILESYSTEM_ROOT/usr/local/bin/
-sudo cp -f files/sshd/sshd.service $FILESYSTEM_ROOT/lib/systemd/system/ssh.service
+sudo mkdir $FILESYSTEM_ROOT/etc/systemd/system/ssh.service.d
+sudo cp files/sshd/override.conf $FILESYSTEM_ROOT/etc/systemd/system/ssh.service.d/override.conf
 # Config sshd
 # 1. Set 'UseDNS' to 'no'
 # 2. Configure sshd to close all SSH connetions after 15 minutes of inactivity
diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2
index deb903096c8..1fc1146ef68 100644
--- a/files/build_templates/sonic_debian_extension.j2
+++ b/files/build_templates/sonic_debian_extension.j2
@@ -600,6 +600,11 @@ sudo dpkg --root=$FILESYSTEM_ROOT -P {{ debname }}
 {% endfor %}
 {% endif %}
 
+# Remove sshd host keys, and will regenerate on first sshd start. This needs to be
+# done again here because our custom version of sshd is being installed, which
+# will regenerate the sshd host keys.
+sudo rm -f $FILESYSTEM_ROOT/etc/ssh/ssh_host_*_key*
+
 sudo rm -f $FILESYSTEM_ROOT/usr/sbin/policy-rc.d
 
 # Copy fstrim service and timer file, enable fstrim timer
diff --git a/files/sshd/override.conf b/files/sshd/override.conf
new file mode 100644
index 00000000000..a1e63ce22b5
--- /dev/null
+++ b/files/sshd/override.conf
@@ -0,0 +1,4 @@
+[Service]
+ExecStartPre=
+ExecStartPre=/usr/local/bin/host-ssh-keygen.sh
+ExecStartPre=/usr/sbin/sshd -t
diff --git a/files/sshd/sshd.service b/files/sshd/sshd.service
deleted file mode 100644
index 25d524171c6..00000000000
--- a/files/sshd/sshd.service
+++ /dev/null
@@ -1,18 +0,0 @@
-[Unit]
-Description=OpenBSD Secure Shell server
-After=network.target auditd.service
-ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
-
-[Service]
-EnvironmentFile=-/etc/default/ssh
-ExecStartPre=-/usr/local/bin/host-ssh-keygen.sh
-ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
-ExecReload=/bin/kill -HUP $MAINPID
-KillMode=process
-Restart=on-failure
-RuntimeDirectory=sshd
-RuntimeDirectoryMode=0755
-
-[Install]
-WantedBy=multi-user.target
-Alias=sshd.service