summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--meta/classes/image.bbclass12
-rw-r--r--meta/recipes-connectivity/openssh/openssh-6.2p2/init22
-rw-r--r--meta/recipes-connectivity/openssh/openssh_6.2p2.bb9
3 files changed, 35 insertions, 8 deletions
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 494664627d..116bd226ea 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -262,6 +262,18 @@ read_only_rootfs_hook () {
if [ -x ${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh ]; then
${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh
fi
+ # If we're using openssh and the /etc/ssh directory has no pre-generated keys,
+ # we should configure openssh to use the configuration file /etc/ssh/sshd_config_readonly
+ # and the keys under /var/run/ssh.
+ if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
+ if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
+ echo "SYSCONFDIR=/etc/ssh" >> ${IMAGE_ROOTFS}/etc/default/ssh
+ echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
+ else
+ echo "SYSCONFDIR=/var/run/ssh" >> ${IMAGE_ROOTFS}/etc/default/ssh
+ echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
+ fi
+ fi
fi
}
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/init b/meta/recipes-connectivity/openssh/openssh-6.2p2/init
index 6beec848df..12fb79bd7c 100644
--- a/meta/recipes-connectivity/openssh/openssh-6.2p2/init
+++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/init
@@ -6,14 +6,22 @@ set -e
test -x /usr/sbin/sshd || exit 0
( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
+# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
if test -f /etc/default/ssh; then
. /etc/default/ssh
fi
+[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
+mkdir -p $SYSCONFDIR
+
+HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
+HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
+HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
+
check_for_no_start() {
# forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
- if [ -e /etc/ssh/sshd_not_to_be_run ]; then
- echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)"
+ if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then
+ echo "OpenBSD Secure Shell server not in use ($SYSCONFDIR/sshd_not_to_be_run)"
exit 0
fi
}
@@ -32,17 +40,17 @@ check_config() {
check_keys() {
# create keys if necessary
- if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
+ if [ ! -f $HOST_KEY_RSA ]; then
echo " generating ssh RSA key..."
- ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
+ ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
fi
- if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then
+ if [ ! -f $HOST_KEY_ECDSA ]; then
echo " generating ssh ECDSA key..."
- ssh-keygen -q -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
+ ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
fi
if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
echo " generating ssh DSA key..."
- ssh-keygen -q -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
+ ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
fi
}
diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
index ab2eefb9bc..c76f9ac7ee 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
@@ -86,6 +86,13 @@ do_install_append () {
install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
+ # Create config files for read-only rootfs
+ install -d ${D}${sysconfdir}/ssh
+ install -m 644 ${WORKDIR}/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
+ sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
+ echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+ echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+ echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
}
ALLOW_EMPTY_${PN} = "1"
@@ -94,7 +101,7 @@ PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc $
FILES_${PN}-scp = "${bindir}/scp.${BPN}"
FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd"
-FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config"
+FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly"
FILES_${PN}-sftp = "${bindir}/sftp"
FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"