summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJonas Smedegaard <dr@jones.dk>2018-10-19 14:33:07 +0200
committerJonas Smedegaard <dr@jones.dk>2018-10-19 14:33:07 +0200
commit16716f7ce1881f8c90583db990a160572e5aff96 (patch)
treec449d695585a23a03df420a9013dd5d55cd067fe
parent8b100eb7cbaa9930f01f497cb0018b711605d729 (diff)
Extend nodes: Add tweaks initialize systemd machine-id and SSH keys on initial boot.
-rw-r--r--nodes/console.yml122
-rw-r--r--nodes/core.yml122
-rw-r--r--nodes/core_teres1.yml122
-rw-r--r--nodes/desktop.yml122
-rw-r--r--nodes/freedombox.yml122
-rw-r--r--nodes/gateway.yml122
6 files changed, 732 insertions, 0 deletions
diff --git a/nodes/console.yml b/nodes/console.yml
index 45cb5c9..08640ac 100644
--- a/nodes/console.yml
+++ b/nodes/console.yml
@@ -38,6 +38,9 @@ parameters:
- enable Network Time (NTP) service systemd-timesyncd
- use static IPs as fallback with NTP to avoid DNSSEC deadlock
- adapt default settings for console file manager Midnight Commander
+ - create local systemd service to create SSH host keys if missing
+ - clear content of /etc/machine-id
+ - remove SSH host keys
pkg:
- iproute2
- iw
@@ -113,3 +116,122 @@ parameters:
echo '[Layout]' >> "$file";\
echo 'message_visible=false' >> "$file";\
echo 'menubar_visible=false' >> "$file"
+ - >
+ file=/target/usr/local/sbin/gen-sshd-host-keys;\
+ echo '#!/bin/sh' > "$file";\
+ echo '#' >> "$file";\
+ echo '# Generate missing ssh host keys' >> "$file";\
+ echo '# code copied from openssh-server postinst to address' >> "$file";\
+ echo '# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594175' >> "$file";\
+ echo '' >> "$file";\
+ echo '# Copyright: 2018 Purism SPC' >> "$file";\
+ echo '# License: BSD-2-clause' >> "$file";\
+ echo '# Redistribution and use in source and binary forms, with or without' >> "$file";\
+ echo '# modification, are permitted provided that the following conditions' >> "$file";\
+ echo '# are met:' >> "$file";\
+ echo '# 1. Redistributions of source code must retain the above copyright' >> "$file";\
+ echo '# notice, this list of conditions and the following disclaimer.' >> "$file";\
+ echo '# 2. Redistributions in binary form must reproduce the above copyright' >> "$file";\
+ echo '# notice, this list of conditions and the following disclaimer in the' >> "$file";\
+ echo '# documentation and/or other materials provided with the distribution.' >> "$file";\
+ echo '# .' >> "$file";\
+ echo '# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR' >> "$file";\
+ echo '# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES' >> "$file";\
+ echo '# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.' >> "$file";\
+ echo '# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,' >> "$file";\
+ echo '# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT' >> "$file";\
+ echo '# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,' >> "$file";\
+ echo '# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY' >> "$file";\
+ echo '# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT' >> "$file";\
+ echo '# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF' >> "$file";\
+ echo '# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.' >> "$file";\
+ echo '' >> "$file";\
+ echo 'set -e' >> "$file";\
+ echo '' >> "$file";\
+ echo 'export LC_ALL=C.UTF-8' >> "$file";\
+ echo '' >> "$file";\
+ echo 'get_config_option() {' >> "$file";\
+ echo ' option="$1"' >> "$file";\
+ echo '' >> "$file";\
+ echo ' [ -f /etc/ssh/sshd_config ] || return' >> "$file";\
+ echo '' >> "$file";\
+ echo ' # TODO: actually only one '"'='"' allowed after option' >> "$file";\
+ echo ' perl -lne '"'" >> "$file";\
+ echo ' s/[[:space:]]+/ /g; s/[[:space:]]+$//;' >> "$file";\
+ echo ' print if s/^[[:space:]]*'"'"'"$option"'"'"'[[:space:]=]+//i'"'"' \' >> "$file";\
+ echo ' /etc/ssh/sshd_config' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo '' >> "$file";\
+ echo 'host_keys_required() {' >> "$file";\
+ echo ' hostkeys="$(get_config_option HostKey)"' >> "$file";\
+ echo ' if [ "$hostkeys" ]; then' >> "$file";\
+ echo ' echo "$hostkeys"' >> "$file";\
+ echo ' else' >> "$file";\
+ echo ' # No HostKey directives at all, so the server picks some' >> "$file";\
+ echo ' # defaults.' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_rsa_key' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_ecdsa_key' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_ed25519_key' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_key() {' >> "$file";\
+ echo ' msg="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo ' hostkeys="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo ' file="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo '' >> "$file";\
+ echo ' if echo "$hostkeys" | grep -x "$file" >/dev/null && \' >> "$file";\
+ echo ' [ ! -f "$file" ] ; then' >> "$file";\
+ echo ' printf "%s" "$msg"' >> "$file";\
+ echo ' ssh-keygen -q -f "$file" -N "" "$@"' >> "$file";\
+ echo ' echo' >> "$file";\
+ echo ' if which restorecon >/dev/null 2>&1; then' >> "$file";\
+ echo ' restorecon "$file" "$file.pub"' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo ' ssh-keygen -l -f "$file.pub"' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_keys() {' >> "$file";\
+ echo ' hostkeys="$(host_keys_required)"' >> "$file";\
+ echo '' >> "$file";\
+ echo ' create_key "Creating SSH2 RSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa' >> "$file";\
+ echo ' create_key "Creating SSH2 DSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa' >> "$file";\
+ echo ' create_key "Creating SSH2 ECDSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa' >> "$file";\
+ echo ' create_key "Creating SSH2 ED25519 key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_keys' >> "$file";\
+ echo 'service ssh force-reload' >> "$file";\
+ chmod a+x "$file"
+ - >
+ file=/target/etc/systemd/system/gen-sshd-host-keys.service;\
+ echo '[Unit]' > "$file";\
+ echo 'Description=Generate OpenSSH daemon host keys service' >> "$file";\
+ echo 'ConditionPathExists=/usr/sbin/sshd' >> "$file";\
+ echo 'ConditionPathExists=!/etc/ssh/sshd_not_to_be_run' >> "$file";\
+ echo 'Before=ssh.service' >> "$file";\
+ echo 'Before=ssh.socket' >> "$file";\
+ echo 'Documentation=https://source.puri.sm/Librem5/gen-ssd-host-keys/README.md' >> "$file";\
+ echo '' >> "$file";\
+ echo '[Service]' >> "$file";\
+ echo 'Type=oneshot' >> "$file";\
+ echo 'ExecStart=/usr/local/sbin/gen-sshd-host-keys' >> "$file";\
+ echo 'ExecStop=/bin/true' >> "$file";\
+ echo '' >> "$file";\
+ echo '[Install]' >> "$file";\
+ echo 'WantedBy=ssh.service' >> "$file";\
+ echo 'WantedBy=ssh.socket' >> "$file"
+ - systemctl enable gen-sshd-host-keys
+ - echo > /target/etc/machine-id
+ - ln -sfT ../../../etc/machine-id /target/var/lib/dbus/machine-id
+ - find /target/etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key*" -delete
diff --git a/nodes/core.yml b/nodes/core.yml
index 6a9cccb..bd128a9 100644
--- a/nodes/core.yml
+++ b/nodes/core.yml
@@ -28,6 +28,9 @@ parameters:
- enable multicast DNS
- enable Network Time (NTP) service systemd-timesyncd
- use static IPs as fallback with NTP to avoid DNSSEC deadlock
+ - create local systemd service to create SSH host keys if missing
+ - clear content of /etc/machine-id
+ - remove SSH host keys
pkg:
- iproute2
- iw
@@ -83,3 +86,122 @@ parameters:
echo '# include static IPs (once expanded from former) to avoid DNSSEC deadlock' >> "$file";\
echo 'FallbackNTP=2.debian.pool.ntp.org 195.137.195.251 158.248.189.11 193.104.228.123 195.137.195.252 2001:ac8:37::40 2001:67c:28c8:12::123 2a00:1b70:1200:1::123 2001:67c:564::12' >> "$file"
- systemctl enable systemd-timesyncd
+ - >
+ file=/target/usr/local/sbin/gen-sshd-host-keys;\
+ echo '#!/bin/sh' > "$file";\
+ echo '#' >> "$file";\
+ echo '# Generate missing ssh host keys' >> "$file";\
+ echo '# code copied from openssh-server postinst to address' >> "$file";\
+ echo '# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594175' >> "$file";\
+ echo '' >> "$file";\
+ echo '# Copyright: 2018 Purism SPC' >> "$file";\
+ echo '# License: BSD-2-clause' >> "$file";\
+ echo '# Redistribution and use in source and binary forms, with or without' >> "$file";\
+ echo '# modification, are permitted provided that the following conditions' >> "$file";\
+ echo '# are met:' >> "$file";\
+ echo '# 1. Redistributions of source code must retain the above copyright' >> "$file";\
+ echo '# notice, this list of conditions and the following disclaimer.' >> "$file";\
+ echo '# 2. Redistributions in binary form must reproduce the above copyright' >> "$file";\
+ echo '# notice, this list of conditions and the following disclaimer in the' >> "$file";\
+ echo '# documentation and/or other materials provided with the distribution.' >> "$file";\
+ echo '# .' >> "$file";\
+ echo '# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR' >> "$file";\
+ echo '# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES' >> "$file";\
+ echo '# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.' >> "$file";\
+ echo '# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,' >> "$file";\
+ echo '# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT' >> "$file";\
+ echo '# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,' >> "$file";\
+ echo '# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY' >> "$file";\
+ echo '# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT' >> "$file";\
+ echo '# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF' >> "$file";\
+ echo '# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.' >> "$file";\
+ echo '' >> "$file";\
+ echo 'set -e' >> "$file";\
+ echo '' >> "$file";\
+ echo 'export LC_ALL=C.UTF-8' >> "$file";\
+ echo '' >> "$file";\
+ echo 'get_config_option() {' >> "$file";\
+ echo ' option="$1"' >> "$file";\
+ echo '' >> "$file";\
+ echo ' [ -f /etc/ssh/sshd_config ] || return' >> "$file";\
+ echo '' >> "$file";\
+ echo ' # TODO: actually only one '"'='"' allowed after option' >> "$file";\
+ echo ' perl -lne '"'" >> "$file";\
+ echo ' s/[[:space:]]+/ /g; s/[[:space:]]+$//;' >> "$file";\
+ echo ' print if s/^[[:space:]]*'"'"'"$option"'"'"'[[:space:]=]+//i'"'"' \' >> "$file";\
+ echo ' /etc/ssh/sshd_config' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo '' >> "$file";\
+ echo 'host_keys_required() {' >> "$file";\
+ echo ' hostkeys="$(get_config_option HostKey)"' >> "$file";\
+ echo ' if [ "$hostkeys" ]; then' >> "$file";\
+ echo ' echo "$hostkeys"' >> "$file";\
+ echo ' else' >> "$file";\
+ echo ' # No HostKey directives at all, so the server picks some' >> "$file";\
+ echo ' # defaults.' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_rsa_key' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_ecdsa_key' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_ed25519_key' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_key() {' >> "$file";\
+ echo ' msg="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo ' hostkeys="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo ' file="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo '' >> "$file";\
+ echo ' if echo "$hostkeys" | grep -x "$file" >/dev/null && \' >> "$file";\
+ echo ' [ ! -f "$file" ] ; then' >> "$file";\
+ echo ' printf "%s" "$msg"' >> "$file";\
+ echo ' ssh-keygen -q -f "$file" -N "" "$@"' >> "$file";\
+ echo ' echo' >> "$file";\
+ echo ' if which restorecon >/dev/null 2>&1; then' >> "$file";\
+ echo ' restorecon "$file" "$file.pub"' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo ' ssh-keygen -l -f "$file.pub"' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_keys() {' >> "$file";\
+ echo ' hostkeys="$(host_keys_required)"' >> "$file";\
+ echo '' >> "$file";\
+ echo ' create_key "Creating SSH2 RSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa' >> "$file";\
+ echo ' create_key "Creating SSH2 DSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa' >> "$file";\
+ echo ' create_key "Creating SSH2 ECDSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa' >> "$file";\
+ echo ' create_key "Creating SSH2 ED25519 key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_keys' >> "$file";\
+ echo 'service ssh force-reload' >> "$file";\
+ chmod a+x "$file"
+ - >
+ file=/target/etc/systemd/system/gen-sshd-host-keys.service;\
+ echo '[Unit]' > "$file";\
+ echo 'Description=Generate OpenSSH daemon host keys service' >> "$file";\
+ echo 'ConditionPathExists=/usr/sbin/sshd' >> "$file";\
+ echo 'ConditionPathExists=!/etc/ssh/sshd_not_to_be_run' >> "$file";\
+ echo 'Before=ssh.service' >> "$file";\
+ echo 'Before=ssh.socket' >> "$file";\
+ echo 'Documentation=https://source.puri.sm/Librem5/gen-ssd-host-keys/README.md' >> "$file";\
+ echo '' >> "$file";\
+ echo '[Service]' >> "$file";\
+ echo 'Type=oneshot' >> "$file";\
+ echo 'ExecStart=/usr/local/sbin/gen-sshd-host-keys' >> "$file";\
+ echo 'ExecStop=/bin/true' >> "$file";\
+ echo '' >> "$file";\
+ echo '[Install]' >> "$file";\
+ echo 'WantedBy=ssh.service' >> "$file";\
+ echo 'WantedBy=ssh.socket' >> "$file"
+ - systemctl enable gen-sshd-host-keys
+ - echo > /target/etc/machine-id
+ - ln -sfT ../../../etc/machine-id /target/var/lib/dbus/machine-id
+ - find /target/etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key*" -delete
diff --git a/nodes/core_teres1.yml b/nodes/core_teres1.yml
index 2c22ca6..5790816 100644
--- a/nodes/core_teres1.yml
+++ b/nodes/core_teres1.yml
@@ -39,6 +39,9 @@ parameters:
- use Cloudflare (not Google) fallback DNS resolvers
- enable multicast DNS
- use static IPs as fallback with NTP to avoid DNSSEC deadlock
+ - create local systemd service to create SSH host keys if missing
+ - clear content of /etc/machine-id
+ - remove SSH host keys
pkg:
- chrony
- iproute2
@@ -109,3 +112,122 @@ parameters:
echo 'server 2001:67c:28c8:12::123 iburst' >> "$file";\
echo 'server 2a00:1b70:1200:1::123 iburst' >> "$file";\
echo 'server 2001:67c:564::12 iburst' >> "$file"
+ - >
+ file=/target/usr/local/sbin/gen-sshd-host-keys;\
+ echo '#!/bin/sh' > "$file";\
+ echo '#' >> "$file";\
+ echo '# Generate missing ssh host keys' >> "$file";\
+ echo '# code copied from openssh-server postinst to address' >> "$file";\
+ echo '# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594175' >> "$file";\
+ echo '' >> "$file";\
+ echo '# Copyright: 2018 Purism SPC' >> "$file";\
+ echo '# License: BSD-2-clause' >> "$file";\
+ echo '# Redistribution and use in source and binary forms, with or without' >> "$file";\
+ echo '# modification, are permitted provided that the following conditions' >> "$file";\
+ echo '# are met:' >> "$file";\
+ echo '# 1. Redistributions of source code must retain the above copyright' >> "$file";\
+ echo '# notice, this list of conditions and the following disclaimer.' >> "$file";\
+ echo '# 2. Redistributions in binary form must reproduce the above copyright' >> "$file";\
+ echo '# notice, this list of conditions and the following disclaimer in the' >> "$file";\
+ echo '# documentation and/or other materials provided with the distribution.' >> "$file";\
+ echo '# .' >> "$file";\
+ echo '# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR' >> "$file";\
+ echo '# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES' >> "$file";\
+ echo '# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.' >> "$file";\
+ echo '# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,' >> "$file";\
+ echo '# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT' >> "$file";\
+ echo '# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,' >> "$file";\
+ echo '# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY' >> "$file";\
+ echo '# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT' >> "$file";\
+ echo '# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF' >> "$file";\
+ echo '# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.' >> "$file";\
+ echo '' >> "$file";\
+ echo 'set -e' >> "$file";\
+ echo '' >> "$file";\
+ echo 'export LC_ALL=C.UTF-8' >> "$file";\
+ echo '' >> "$file";\
+ echo 'get_config_option() {' >> "$file";\
+ echo ' option="$1"' >> "$file";\
+ echo '' >> "$file";\
+ echo ' [ -f /etc/ssh/sshd_config ] || return' >> "$file";\
+ echo '' >> "$file";\
+ echo ' # TODO: actually only one '"'='"' allowed after option' >> "$file";\
+ echo ' perl -lne '"'" >> "$file";\
+ echo ' s/[[:space:]]+/ /g; s/[[:space:]]+$//;' >> "$file";\
+ echo ' print if s/^[[:space:]]*'"'"'"$option"'"'"'[[:space:]=]+//i'"'"' \' >> "$file";\
+ echo ' /etc/ssh/sshd_config' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo '' >> "$file";\
+ echo 'host_keys_required() {' >> "$file";\
+ echo ' hostkeys="$(get_config_option HostKey)"' >> "$file";\
+ echo ' if [ "$hostkeys" ]; then' >> "$file";\
+ echo ' echo "$hostkeys"' >> "$file";\
+ echo ' else' >> "$file";\
+ echo ' # No HostKey directives at all, so the server picks some' >> "$file";\
+ echo ' # defaults.' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_rsa_key' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_ecdsa_key' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_ed25519_key' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_key() {' >> "$file";\
+ echo ' msg="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo ' hostkeys="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo ' file="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo '' >> "$file";\
+ echo ' if echo "$hostkeys" | grep -x "$file" >/dev/null && \' >> "$file";\
+ echo ' [ ! -f "$file" ] ; then' >> "$file";\
+ echo ' printf "%s" "$msg"' >> "$file";\
+ echo ' ssh-keygen -q -f "$file" -N "" "$@"' >> "$file";\
+ echo ' echo' >> "$file";\
+ echo ' if which restorecon >/dev/null 2>&1; then' >> "$file";\
+ echo ' restorecon "$file" "$file.pub"' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo ' ssh-keygen -l -f "$file.pub"' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_keys() {' >> "$file";\
+ echo ' hostkeys="$(host_keys_required)"' >> "$file";\
+ echo '' >> "$file";\
+ echo ' create_key "Creating SSH2 RSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa' >> "$file";\
+ echo ' create_key "Creating SSH2 DSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa' >> "$file";\
+ echo ' create_key "Creating SSH2 ECDSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa' >> "$file";\
+ echo ' create_key "Creating SSH2 ED25519 key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_keys' >> "$file";\
+ echo 'service ssh force-reload' >> "$file";\
+ chmod a+x "$file"
+ - >
+ file=/target/etc/systemd/system/gen-sshd-host-keys.service;\
+ echo '[Unit]' > "$file";\
+ echo 'Description=Generate OpenSSH daemon host keys service' >> "$file";\
+ echo 'ConditionPathExists=/usr/sbin/sshd' >> "$file";\
+ echo 'ConditionPathExists=!/etc/ssh/sshd_not_to_be_run' >> "$file";\
+ echo 'Before=ssh.service' >> "$file";\
+ echo 'Before=ssh.socket' >> "$file";\
+ echo 'Documentation=https://source.puri.sm/Librem5/gen-ssd-host-keys/README.md' >> "$file";\
+ echo '' >> "$file";\
+ echo '[Service]' >> "$file";\
+ echo 'Type=oneshot' >> "$file";\
+ echo 'ExecStart=/usr/local/sbin/gen-sshd-host-keys' >> "$file";\
+ echo 'ExecStop=/bin/true' >> "$file";\
+ echo '' >> "$file";\
+ echo '[Install]' >> "$file";\
+ echo 'WantedBy=ssh.service' >> "$file";\
+ echo 'WantedBy=ssh.socket' >> "$file"
+ - systemctl enable gen-sshd-host-keys
+ - echo > /target/etc/machine-id
+ - ln -sfT ../../../etc/machine-id /target/var/lib/dbus/machine-id
+ - find /target/etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key*" -delete
diff --git a/nodes/desktop.yml b/nodes/desktop.yml
index b7ed683..c5b463e 100644
--- a/nodes/desktop.yml
+++ b/nodes/desktop.yml
@@ -48,6 +48,9 @@ parameters:
- tell urxvt to use 24pt fonts, Terminus 32pt or indic Noto Sans
- tell urxvt to omit scrollbar
- adapt default settings for console file manager Midnight Commander
+ - create local systemd service to create SSH host keys if missing
+ - clear content of /etc/machine-id
+ - remove SSH host keys
pkg:
- chrony
- iproute2
@@ -143,3 +146,122 @@ parameters:
echo '[Layout]' >> "$file";\
echo 'message_visible=false' >> "$file";\
echo 'menubar_visible=false' >> "$file"
+ - >
+ file=/target/usr/local/sbin/gen-sshd-host-keys;\
+ echo '#!/bin/sh' > "$file";\
+ echo '#' >> "$file";\
+ echo '# Generate missing ssh host keys' >> "$file";\
+ echo '# code copied from openssh-server postinst to address' >> "$file";\
+ echo '# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594175' >> "$file";\
+ echo '' >> "$file";\
+ echo '# Copyright: 2018 Purism SPC' >> "$file";\
+ echo '# License: BSD-2-clause' >> "$file";\
+ echo '# Redistribution and use in source and binary forms, with or without' >> "$file";\
+ echo '# modification, are permitted provided that the following conditions' >> "$file";\
+ echo '# are met:' >> "$file";\
+ echo '# 1. Redistributions of source code must retain the above copyright' >> "$file";\
+ echo '# notice, this list of conditions and the following disclaimer.' >> "$file";\
+ echo '# 2. Redistributions in binary form must reproduce the above copyright' >> "$file";\
+ echo '# notice, this list of conditions and the following disclaimer in the' >> "$file";\
+ echo '# documentation and/or other materials provided with the distribution.' >> "$file";\
+ echo '# .' >> "$file";\
+ echo '# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR' >> "$file";\
+ echo '# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES' >> "$file";\
+ echo '# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.' >> "$file";\
+ echo '# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,' >> "$file";\
+ echo '# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT' >> "$file";\
+ echo '# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,' >> "$file";\
+ echo '# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY' >> "$file";\
+ echo '# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT' >> "$file";\
+ echo '# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF' >> "$file";\
+ echo '# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.' >> "$file";\
+ echo '' >> "$file";\
+ echo 'set -e' >> "$file";\
+ echo '' >> "$file";\
+ echo 'export LC_ALL=C.UTF-8' >> "$file";\
+ echo '' >> "$file";\
+ echo 'get_config_option() {' >> "$file";\
+ echo ' option="$1"' >> "$file";\
+ echo '' >> "$file";\
+ echo ' [ -f /etc/ssh/sshd_config ] || return' >> "$file";\
+ echo '' >> "$file";\
+ echo ' # TODO: actually only one '"'='"' allowed after option' >> "$file";\
+ echo ' perl -lne '"'" >> "$file";\
+ echo ' s/[[:space:]]+/ /g; s/[[:space:]]+$//;' >> "$file";\
+ echo ' print if s/^[[:space:]]*'"'"'"$option"'"'"'[[:space:]=]+//i'"'"' \' >> "$file";\
+ echo ' /etc/ssh/sshd_config' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo '' >> "$file";\
+ echo 'host_keys_required() {' >> "$file";\
+ echo ' hostkeys="$(get_config_option HostKey)"' >> "$file";\
+ echo ' if [ "$hostkeys" ]; then' >> "$file";\
+ echo ' echo "$hostkeys"' >> "$file";\
+ echo ' else' >> "$file";\
+ echo ' # No HostKey directives at all, so the server picks some' >> "$file";\
+ echo ' # defaults.' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_rsa_key' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_ecdsa_key' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_ed25519_key' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_key() {' >> "$file";\
+ echo ' msg="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo ' hostkeys="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo ' file="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo '' >> "$file";\
+ echo ' if echo "$hostkeys" | grep -x "$file" >/dev/null && \' >> "$file";\
+ echo ' [ ! -f "$file" ] ; then' >> "$file";\
+ echo ' printf "%s" "$msg"' >> "$file";\
+ echo ' ssh-keygen -q -f "$file" -N "" "$@"' >> "$file";\
+ echo ' echo' >> "$file";\
+ echo ' if which restorecon >/dev/null 2>&1; then' >> "$file";\
+ echo ' restorecon "$file" "$file.pub"' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo ' ssh-keygen -l -f "$file.pub"' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_keys() {' >> "$file";\
+ echo ' hostkeys="$(host_keys_required)"' >> "$file";\
+ echo '' >> "$file";\
+ echo ' create_key "Creating SSH2 RSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa' >> "$file";\
+ echo ' create_key "Creating SSH2 DSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa' >> "$file";\
+ echo ' create_key "Creating SSH2 ECDSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa' >> "$file";\
+ echo ' create_key "Creating SSH2 ED25519 key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_keys' >> "$file";\
+ echo 'service ssh force-reload' >> "$file";\
+ chmod a+x "$file"
+ - >
+ file=/target/etc/systemd/system/gen-sshd-host-keys.service;\
+ echo '[Unit]' > "$file";\
+ echo 'Description=Generate OpenSSH daemon host keys service' >> "$file";\
+ echo 'ConditionPathExists=/usr/sbin/sshd' >> "$file";\
+ echo 'ConditionPathExists=!/etc/ssh/sshd_not_to_be_run' >> "$file";\
+ echo 'Before=ssh.service' >> "$file";\
+ echo 'Before=ssh.socket' >> "$file";\
+ echo 'Documentation=https://source.puri.sm/Librem5/gen-ssd-host-keys/README.md' >> "$file";\
+ echo '' >> "$file";\
+ echo '[Service]' >> "$file";\
+ echo 'Type=oneshot' >> "$file";\
+ echo 'ExecStart=/usr/local/sbin/gen-sshd-host-keys' >> "$file";\
+ echo 'ExecStop=/bin/true' >> "$file";\
+ echo '' >> "$file";\
+ echo '[Install]' >> "$file";\
+ echo 'WantedBy=ssh.service' >> "$file";\
+ echo 'WantedBy=ssh.socket' >> "$file"
+ - systemctl enable gen-sshd-host-keys
+ - echo > /target/etc/machine-id
+ - ln -sfT ../../../etc/machine-id /target/var/lib/dbus/machine-id
+ - find /target/etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key*" -delete
diff --git a/nodes/freedombox.yml b/nodes/freedombox.yml
index 5ef7250..61ba2a7 100644
--- a/nodes/freedombox.yml
+++ b/nodes/freedombox.yml
@@ -34,6 +34,9 @@ parameters:
- enable Network Time (NTP) service systemd-timesyncd
- use static IPs as fallback with NTP to avoid DNSSEC deadlock
- grant root access to users in POSIX (and LDAP) group 'admin'
+ - create local systemd service to create SSH host keys if missing
+ - clear content of /etc/machine-id
+ - remove SSH host keys
pkg:
- plinth
tweak:
@@ -77,3 +80,122 @@ parameters:
- >
_setappendvar /target/etc/sysctl.d/local-freedombox.conf \
net.ipv6.conf.all.forwarding 1
+ - >
+ file=/target/usr/local/sbin/gen-sshd-host-keys;\
+ echo '#!/bin/sh' > "$file";\
+ echo '#' >> "$file";\
+ echo '# Generate missing ssh host keys' >> "$file";\
+ echo '# code copied from openssh-server postinst to address' >> "$file";\
+ echo '# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594175' >> "$file";\
+ echo '' >> "$file";\
+ echo '# Copyright: 2018 Purism SPC' >> "$file";\
+ echo '# License: BSD-2-clause' >> "$file";\
+ echo '# Redistribution and use in source and binary forms, with or without' >> "$file";\
+ echo '# modification, are permitted provided that the following conditions' >> "$file";\
+ echo '# are met:' >> "$file";\
+ echo '# 1. Redistributions of source code must retain the above copyright' >> "$file";\
+ echo '# notice, this list of conditions and the following disclaimer.' >> "$file";\
+ echo '# 2. Redistributions in binary form must reproduce the above copyright' >> "$file";\
+ echo '# notice, this list of conditions and the following disclaimer in the' >> "$file";\
+ echo '# documentation and/or other materials provided with the distribution.' >> "$file";\
+ echo '# .' >> "$file";\
+ echo '# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR' >> "$file";\
+ echo '# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES' >> "$file";\
+ echo '# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.' >> "$file";\
+ echo '# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,' >> "$file";\
+ echo '# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT' >> "$file";\
+ echo '# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,' >> "$file";\
+ echo '# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY' >> "$file";\
+ echo '# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT' >> "$file";\
+ echo '# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF' >> "$file";\
+ echo '# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.' >> "$file";\
+ echo '' >> "$file";\
+ echo 'set -e' >> "$file";\
+ echo '' >> "$file";\
+ echo 'export LC_ALL=C.UTF-8' >> "$file";\
+ echo '' >> "$file";\
+ echo 'get_config_option() {' >> "$file";\
+ echo ' option="$1"' >> "$file";\
+ echo '' >> "$file";\
+ echo ' [ -f /etc/ssh/sshd_config ] || return' >> "$file";\
+ echo '' >> "$file";\
+ echo ' # TODO: actually only one '"'='"' allowed after option' >> "$file";\
+ echo ' perl -lne '"'" >> "$file";\
+ echo ' s/[[:space:]]+/ /g; s/[[:space:]]+$//;' >> "$file";\
+ echo ' print if s/^[[:space:]]*'"'"'"$option"'"'"'[[:space:]=]+//i'"'"' \' >> "$file";\
+ echo ' /etc/ssh/sshd_config' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo '' >> "$file";\
+ echo 'host_keys_required() {' >> "$file";\
+ echo ' hostkeys="$(get_config_option HostKey)"' >> "$file";\
+ echo ' if [ "$hostkeys" ]; then' >> "$file";\
+ echo ' echo "$hostkeys"' >> "$file";\
+ echo ' else' >> "$file";\
+ echo ' # No HostKey directives at all, so the server picks some' >> "$file";\
+ echo ' # defaults.' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_rsa_key' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_ecdsa_key' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_ed25519_key' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_key() {' >> "$file";\
+ echo ' msg="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo ' hostkeys="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo ' file="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo '' >> "$file";\
+ echo ' if echo "$hostkeys" | grep -x "$file" >/dev/null && \' >> "$file";\
+ echo ' [ ! -f "$file" ] ; then' >> "$file";\
+ echo ' printf "%s" "$msg"' >> "$file";\
+ echo ' ssh-keygen -q -f "$file" -N "" "$@"' >> "$file";\
+ echo ' echo' >> "$file";\
+ echo ' if which restorecon >/dev/null 2>&1; then' >> "$file";\
+ echo ' restorecon "$file" "$file.pub"' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo ' ssh-keygen -l -f "$file.pub"' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_keys() {' >> "$file";\
+ echo ' hostkeys="$(host_keys_required)"' >> "$file";\
+ echo '' >> "$file";\
+ echo ' create_key "Creating SSH2 RSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa' >> "$file";\
+ echo ' create_key "Creating SSH2 DSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa' >> "$file";\
+ echo ' create_key "Creating SSH2 ECDSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa' >> "$file";\
+ echo ' create_key "Creating SSH2 ED25519 key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_keys' >> "$file";\
+ echo 'service ssh force-reload' >> "$file";\
+ chmod a+x "$file"
+ - >
+ file=/target/etc/systemd/system/gen-sshd-host-keys.service;\
+ echo '[Unit]' > "$file";\
+ echo 'Description=Generate OpenSSH daemon host keys service' >> "$file";\
+ echo 'ConditionPathExists=/usr/sbin/sshd' >> "$file";\
+ echo 'ConditionPathExists=!/etc/ssh/sshd_not_to_be_run' >> "$file";\
+ echo 'Before=ssh.service' >> "$file";\
+ echo 'Before=ssh.socket' >> "$file";\
+ echo 'Documentation=https://source.puri.sm/Librem5/gen-ssd-host-keys/README.md' >> "$file";\
+ echo '' >> "$file";\
+ echo '[Service]' >> "$file";\
+ echo 'Type=oneshot' >> "$file";\
+ echo 'ExecStart=/usr/local/sbin/gen-sshd-host-keys' >> "$file";\
+ echo 'ExecStop=/bin/true' >> "$file";\
+ echo '' >> "$file";\
+ echo '[Install]' >> "$file";\
+ echo 'WantedBy=ssh.service' >> "$file";\
+ echo 'WantedBy=ssh.socket' >> "$file"
+ - systemctl enable gen-sshd-host-keys
+ - echo > /target/etc/machine-id
+ - ln -sfT ../../../etc/machine-id /target/var/lib/dbus/machine-id
+ - find /target/etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key*" -delete
diff --git a/nodes/gateway.yml b/nodes/gateway.yml
index 25df9f8..2ea45ac 100644
--- a/nodes/gateway.yml
+++ b/nodes/gateway.yml
@@ -44,6 +44,9 @@ parameters:
- enable multicast DNS
- enable Network Time (NTP) service systemd-timesyncd
- use static IPs as fallback with NTP to avoid DNSSEC deadlock
+ - create local systemd service to create SSH host keys if missing
+ - clear content of /etc/machine-id
+ - remove SSH host keys
pkg:
- iproute2
- iw
@@ -146,3 +149,122 @@ parameters:
echo '# include static IPs (once expanded from former) to avoid DNSSEC deadlock' >> "$file";\
echo 'FallbackNTP=2.debian.pool.ntp.org 195.137.195.251 158.248.189.11 193.104.228.123 195.137.195.252 2001:ac8:37::40 2001:67c:28c8:12::123 2a00:1b70:1200:1::123 2001:67c:564::12' >> "$file"
- systemctl enable systemd-timesyncd
+ - >
+ file=/target/usr/local/sbin/gen-sshd-host-keys;\
+ echo '#!/bin/sh' > "$file";\
+ echo '#' >> "$file";\
+ echo '# Generate missing ssh host keys' >> "$file";\
+ echo '# code copied from openssh-server postinst to address' >> "$file";\
+ echo '# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594175' >> "$file";\
+ echo '' >> "$file";\
+ echo '# Copyright: 2018 Purism SPC' >> "$file";\
+ echo '# License: BSD-2-clause' >> "$file";\
+ echo '# Redistribution and use in source and binary forms, with or without' >> "$file";\
+ echo '# modification, are permitted provided that the following conditions' >> "$file";\
+ echo '# are met:' >> "$file";\
+ echo '# 1. Redistributions of source code must retain the above copyright' >> "$file";\
+ echo '# notice, this list of conditions and the following disclaimer.' >> "$file";\
+ echo '# 2. Redistributions in binary form must reproduce the above copyright' >> "$file";\
+ echo '# notice, this list of conditions and the following disclaimer in the' >> "$file";\
+ echo '# documentation and/or other materials provided with the distribution.' >> "$file";\
+ echo '# .' >> "$file";\
+ echo '# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR' >> "$file";\
+ echo '# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES' >> "$file";\
+ echo '# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.' >> "$file";\
+ echo '# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,' >> "$file";\
+ echo '# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT' >> "$file";\
+ echo '# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,' >> "$file";\
+ echo '# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY' >> "$file";\
+ echo '# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT' >> "$file";\
+ echo '# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF' >> "$file";\
+ echo '# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.' >> "$file";\
+ echo '' >> "$file";\
+ echo 'set -e' >> "$file";\
+ echo '' >> "$file";\
+ echo 'export LC_ALL=C.UTF-8' >> "$file";\
+ echo '' >> "$file";\
+ echo 'get_config_option() {' >> "$file";\
+ echo ' option="$1"' >> "$file";\
+ echo '' >> "$file";\
+ echo ' [ -f /etc/ssh/sshd_config ] || return' >> "$file";\
+ echo '' >> "$file";\
+ echo ' # TODO: actually only one '"'='"' allowed after option' >> "$file";\
+ echo ' perl -lne '"'" >> "$file";\
+ echo ' s/[[:space:]]+/ /g; s/[[:space:]]+$//;' >> "$file";\
+ echo ' print if s/^[[:space:]]*'"'"'"$option"'"'"'[[:space:]=]+//i'"'"' \' >> "$file";\
+ echo ' /etc/ssh/sshd_config' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo '' >> "$file";\
+ echo 'host_keys_required() {' >> "$file";\
+ echo ' hostkeys="$(get_config_option HostKey)"' >> "$file";\
+ echo ' if [ "$hostkeys" ]; then' >> "$file";\
+ echo ' echo "$hostkeys"' >> "$file";\
+ echo ' else' >> "$file";\
+ echo ' # No HostKey directives at all, so the server picks some' >> "$file";\
+ echo ' # defaults.' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_rsa_key' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_ecdsa_key' >> "$file";\
+ echo ' echo /etc/ssh/ssh_host_ed25519_key' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_key() {' >> "$file";\
+ echo ' msg="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo ' hostkeys="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo ' file="$1"' >> "$file";\
+ echo ' shift' >> "$file";\
+ echo '' >> "$file";\
+ echo ' if echo "$hostkeys" | grep -x "$file" >/dev/null && \' >> "$file";\
+ echo ' [ ! -f "$file" ] ; then' >> "$file";\
+ echo ' printf "%s" "$msg"' >> "$file";\
+ echo ' ssh-keygen -q -f "$file" -N "" "$@"' >> "$file";\
+ echo ' echo' >> "$file";\
+ echo ' if which restorecon >/dev/null 2>&1; then' >> "$file";\
+ echo ' restorecon "$file" "$file.pub"' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo ' ssh-keygen -l -f "$file.pub"' >> "$file";\
+ echo ' fi' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_keys() {' >> "$file";\
+ echo ' hostkeys="$(host_keys_required)"' >> "$file";\
+ echo '' >> "$file";\
+ echo ' create_key "Creating SSH2 RSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa' >> "$file";\
+ echo ' create_key "Creating SSH2 DSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa' >> "$file";\
+ echo ' create_key "Creating SSH2 ECDSA key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa' >> "$file";\
+ echo ' create_key "Creating SSH2 ED25519 key; this may take some time ..." \' >> "$file";\
+ echo ' "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519' >> "$file";\
+ echo '}' >> "$file";\
+ echo '' >> "$file";\
+ echo 'create_keys' >> "$file";\
+ echo 'service ssh force-reload' >> "$file";\
+ chmod a+x "$file"
+ - >
+ file=/target/etc/systemd/system/gen-sshd-host-keys.service;\
+ echo '[Unit]' > "$file";\
+ echo 'Description=Generate OpenSSH daemon host keys service' >> "$file";\
+ echo 'ConditionPathExists=/usr/sbin/sshd' >> "$file";\
+ echo 'ConditionPathExists=!/etc/ssh/sshd_not_to_be_run' >> "$file";\
+ echo 'Before=ssh.service' >> "$file";\
+ echo 'Before=ssh.socket' >> "$file";\
+ echo 'Documentation=https://source.puri.sm/Librem5/gen-ssd-host-keys/README.md' >> "$file";\
+ echo '' >> "$file";\
+ echo '[Service]' >> "$file";\
+ echo 'Type=oneshot' >> "$file";\
+ echo 'ExecStart=/usr/local/sbin/gen-sshd-host-keys' >> "$file";\
+ echo 'ExecStop=/bin/true' >> "$file";\
+ echo '' >> "$file";\
+ echo '[Install]' >> "$file";\
+ echo 'WantedBy=ssh.service' >> "$file";\
+ echo 'WantedBy=ssh.socket' >> "$file"
+ - systemctl enable gen-sshd-host-keys
+ - echo > /target/etc/machine-id
+ - ln -sfT ../../../etc/machine-id /target/var/lib/dbus/machine-id
+ - find /target/etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key*" -delete