From 32b175cc62d309d34b145450f3ed0ce8910aba3f Mon Sep 17 00:00:00 2001 From: Jackie Huang Date: Fri, 1 May 2020 22:20:59 +0800 Subject: [PATCH] openssh: align the service behavior with stx 3.0 - Remove the sshd.socket and sshd@service used by yocto by default - Add the service and config files from stx 3.0 and align the service behavior - Fix the postinst for sshd-config and enable the service Issue-ID: INF-68 Signed-off-by: Jackie Huang Change-Id: I0741b5e413e9a2c831b3f248a9fa6ef9444bd6a0 --- .../openssh/files/stx/sshd-keygen | 154 +++++++++++++++++ .../openssh/files/stx/sshd-keygen.service | 11 ++ .../openssh/files/stx/sshd.init | 192 +++++++++++++++++++++ .../openssh/files/stx/sshd.service | 17 ++ .../openssh/files/stx/sshd.sysconfig | 15 ++ .../openssh/openssh_7.%.bbappend | 55 ++++++ .../stx-config-files/config-files_1.0.0.bb | 34 +++- 7 files changed, 469 insertions(+), 9 deletions(-) create mode 100644 meta-stx/recipes-connectivity/openssh/files/stx/sshd-keygen create mode 100644 meta-stx/recipes-connectivity/openssh/files/stx/sshd-keygen.service create mode 100755 meta-stx/recipes-connectivity/openssh/files/stx/sshd.init create mode 100644 meta-stx/recipes-connectivity/openssh/files/stx/sshd.service create mode 100644 meta-stx/recipes-connectivity/openssh/files/stx/sshd.sysconfig create mode 100644 meta-stx/recipes-connectivity/openssh/openssh_7.%.bbappend diff --git a/meta-stx/recipes-connectivity/openssh/files/stx/sshd-keygen b/meta-stx/recipes-connectivity/openssh/files/stx/sshd-keygen new file mode 100644 index 0000000..1207eb9 --- /dev/null +++ b/meta-stx/recipes-connectivity/openssh/files/stx/sshd-keygen @@ -0,0 +1,154 @@ +#!/bin/bash + +# Create the host keys for the OpenSSH server. +# +# The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment +# variable. +AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519" + +# source function library +. /etc/init.d/functions + +# Some functions to make the below more readable +KEYGEN=/usr/bin/ssh-keygen +RSA1_KEY=/etc/ssh/ssh_host_key +RSA_KEY=/etc/ssh/ssh_host_rsa_key +DSA_KEY=/etc/ssh/ssh_host_dsa_key +ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key +ED25519_KEY=/etc/ssh/ssh_host_ed25519_key + +# pull in sysconfig settings +[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd + +fips_enabled() { + if [ -r /proc/sys/crypto/fips_enabled ]; then + cat /proc/sys/crypto/fips_enabled + else + echo 0 + fi +} + +do_rsa1_keygen() { + if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then + echo -n $"Generating SSH1 RSA host key: " + rm -f $RSA1_KEY + if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then + chgrp ssh_keys $RSA1_KEY + chmod 600 $RSA1_KEY + chmod 644 $RSA1_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $RSA1_KEY{,.pub} + fi + success $"RSA1 key generation" + echo + else + failure $"RSA1 key generation" + echo + exit 1 + fi + fi +} + +do_rsa_keygen() { + if [ ! -s $RSA_KEY ]; then + echo -n $"Generating SSH2 RSA host key: " + rm -f $RSA_KEY + if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then + chgrp ssh_keys $RSA_KEY + chmod 600 $RSA_KEY + chmod 644 $RSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $RSA_KEY{,.pub} + fi + success $"RSA key generation" + echo + else + failure $"RSA key generation" + echo + exit 1 + fi + fi +} + +do_dsa_keygen() { + if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then + echo -n $"Generating SSH2 DSA host key: " + rm -f $DSA_KEY + if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then + chgrp ssh_keys $DSA_KEY + chmod 600 $DSA_KEY + chmod 644 $DSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $DSA_KEY{,.pub} + fi + success $"DSA key generation" + echo + else + failure $"DSA key generation" + echo + exit 1 + fi + fi +} + +do_ecdsa_keygen() { + if [ ! -s $ECDSA_KEY ]; then + echo -n $"Generating SSH2 ECDSA host key: " + rm -f $ECDSA_KEY + if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then + chgrp ssh_keys $ECDSA_KEY + chmod 600 $ECDSA_KEY + chmod 644 $ECDSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $ECDSA_KEY{,.pub} + fi + success $"ECDSA key generation" + echo + else + failure $"ECDSA key generation" + echo + exit 1 + fi + fi +} + +do_ed25519_keygen() { + if [ ! -s $ED25519_KEY -a `fips_enabled` -eq 0 ]; then + echo -n $"Generating SSH2 ED25519 host key: " + rm -f $ED25519_KEY + if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then + chgrp ssh_keys $ED25519_KEY + chmod 600 $ED25519_KEY + chmod 644 $ED25519_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $ED25519_KEY{,.pub} + fi + success $"ED25519 key generation" + echo + else + failure $"ED25519 key generation" + echo + exit 1 + fi + fi +} + +if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then + exit 0 +fi + +# legacy options +case $AUTOCREATE_SERVER_KEYS in + NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";; + RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";; + YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";; +esac + +for KEY in $AUTOCREATE_SERVER_KEYS; do + case $KEY in + DSA) do_dsa_keygen;; + RSA) do_rsa_keygen;; + ECDSA) do_ecdsa_keygen;; + ED25519) do_ed25519_keygen;; + esac +done diff --git a/meta-stx/recipes-connectivity/openssh/files/stx/sshd-keygen.service b/meta-stx/recipes-connectivity/openssh/files/stx/sshd-keygen.service new file mode 100644 index 0000000..77cffeb --- /dev/null +++ b/meta-stx/recipes-connectivity/openssh/files/stx/sshd-keygen.service @@ -0,0 +1,11 @@ +[Unit] +Description=OpenSSH Server Key Generation +ConditionFileNotEmpty=|!/etc/ssh/ssh_host_rsa_key +ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ecdsa_key +ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ed25519_key +PartOf=sshd.service sshd.socket + +[Service] +ExecStart=/usr/sbin/sshd-keygen +Type=oneshot +RemainAfterExit=yes diff --git a/meta-stx/recipes-connectivity/openssh/files/stx/sshd.init b/meta-stx/recipes-connectivity/openssh/files/stx/sshd.init new file mode 100755 index 0000000..5430632 --- /dev/null +++ b/meta-stx/recipes-connectivity/openssh/files/stx/sshd.init @@ -0,0 +1,192 @@ +#!/bin/bash +# +# sshd Start up the OpenSSH server daemon +# +# chkconfig: 2345 55 25 +# description: SSH is a protocol for secure remote shell access. \ +# This service starts up the OpenSSH server daemon. +# +# processname: sshd +# config: /etc/ssh/ssh_host_key +# config: /etc/ssh/ssh_host_key.pub +# config: /etc/ssh/ssh_random_seed +# config: /etc/ssh/sshd_config +# pidfile: /var/run/sshd.pid + +### BEGIN INIT INFO +# Provides: sshd +# Required-Start: $local_fs $network $syslog +# Required-Stop: $local_fs $syslog +# Should-Start: $syslog +# Should-Stop: $network $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start up the OpenSSH server daemon +# Description: SSH is a protocol for secure remote shell access. +# This service starts up the OpenSSH server daemon. +### END INIT INFO + +# source function library +. /etc/init.d/functions + +# pull in sysconfig settings +[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd + +RETVAL=0 +prog="sshd" +lockfile=/var/lock/subsys/$prog + +# Some functions to make the below more readable +SSHD=/usr/sbin/sshd +XPID_FILE=/var/run/sshd.pid +PID_FILE=/var/run/sshd-s.pid + +runlevel=$(set -- $(runlevel); eval "echo \$$#" ) + +do_restart_sanity_check() +{ + $SSHD -t + RETVAL=$? + if [ $RETVAL -ne 0 ]; then + failure $"Configuration file or keys are invalid" + echo + fi +} + +start() +{ + [ -x $SSHD ] || exit 5 + [ -f /etc/ssh/sshd_config ] || exit 6 + # Create keys if necessary + /usr/sbin/sshd-keygen + + # In rare instances, sshd may be started but a pid + # file is not generated. This is seen usually during + # system reboot scenarios. A subsequent attempt to start + # sshd here will trigger a port bind error. As a sanity + # check attempt a kill call (mostly redundant) to any + # previously running sshd instance + /bin/kill `/bin/pidof "$SSHD"` >/dev/null 2>&1 + + echo -n $"Starting $prog: " + $SSHD $OPTIONS && success || failure + RETVAL=$? + [ $RETVAL -eq 0 ] && touch $lockfile + [ $RETVAL -eq 0 ] && cp -f $XPID_FILE $PID_FILE + echo + return $RETVAL +} + +stop() +{ + + echo -n $"Stopping $prog: " + if [ ! -f "$PID_FILE" ]; then + # not running; per LSB standards this is "ok" + action $"Stopping $prog: " /bin/true + return 0 + fi + PID=`cat "$PID_FILE"` + if [ -n "$PID" ]; then + /bin/kill "$PID" >/dev/null 2>&1 + RETVAL=$? + if [ $RETVAL -eq 0 ]; then + RETVAL=1 + action $"Stopping $prog: " /bin/false + else + action $"Stopping $prog: " /bin/true + fi + else + # failed to read pidfile + action $"Stopping $prog: " /bin/false + RETVAL=4 + fi + # if we are in halt or reboot runlevel kill all running sessions + # so the TCP connections are closed cleanly + if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then + trap '' TERM + killall $prog 2>/dev/null + trap TERM + fi + [ $RETVAL -eq 0 ] && rm -f $lockfile + rm -f "$PID_FILE" + return $RETVAL +} + +reload() +{ + echo -n $"Reloading $prog: " + if [ -n "`pidfileofproc $SSHD`" ] ; then + killproc $SSHD -HUP + else + failure $"Reloading $prog" + fi + RETVAL=$? + echo +} + +restart() { + stop + start +} + +force_reload() { + restart +} + +rh_status() { + status -p $PID_FILE openssh-daemon +} + +rh_status_q() { + rh_status >/dev/null 2>&1 +} + +case "$1" in + start) + rh_status_q && exit 0 + start + ;; + stop) + if ! rh_status_q; then + rm -f $lockfile + exit 0 + fi + stop + ;; + restart) + restart + ;; + reload) + rh_status_q || exit 7 + reload + ;; + force-reload) + force_reload + ;; + condrestart|try-restart) + rh_status_q || exit 0 + if [ -f $lockfile ] ; then + do_restart_sanity_check + if [ $RETVAL -eq 0 ] ; then + stop + # avoid race + sleep 3 + start + else + RETVAL=6 + fi + fi + ;; + status) + rh_status + RETVAL=$? + if [ $RETVAL -eq 3 -a -f $lockfile ] ; then + RETVAL=2 + fi + ;; + *) + echo $"Usage: $0 {start|stop|restart|reload|force-reload|condrestart|try-restart|status}" + RETVAL=2 +esac +exit $RETVAL diff --git a/meta-stx/recipes-connectivity/openssh/files/stx/sshd.service b/meta-stx/recipes-connectivity/openssh/files/stx/sshd.service new file mode 100644 index 0000000..af7845c --- /dev/null +++ b/meta-stx/recipes-connectivity/openssh/files/stx/sshd.service @@ -0,0 +1,17 @@ +[Unit] +Description=OpenSSH server daemon +Documentation=man:sshd(8) man:sshd_config(5) +After=network.target sshd-keygen.service +Wants=sshd-keygen.service + +[Service] +Type=notify +EnvironmentFile=/etc/sysconfig/sshd +ExecStart=/usr/sbin/sshd -D $OPTIONS +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartSec=42s + +[Install] +WantedBy=multi-user.target diff --git a/meta-stx/recipes-connectivity/openssh/files/stx/sshd.sysconfig b/meta-stx/recipes-connectivity/openssh/files/stx/sshd.sysconfig new file mode 100644 index 0000000..e666ab9 --- /dev/null +++ b/meta-stx/recipes-connectivity/openssh/files/stx/sshd.sysconfig @@ -0,0 +1,15 @@ +# Configuration file for the sshd service. + +# The server keys are automatically generated if they are missing. +# To change the automatic creation uncomment and change the appropriate +# line. Accepted key types are: DSA RSA ECDSA ED25519. +# The default is "RSA ECDSA ED25519" + +# AUTOCREATE_SERVER_KEYS="" +# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519" + +# Do not change this option unless you have hardware random +# generator and you REALLY know what you are doing + +SSH_USE_STRONG_RNG=0 +# SSH_USE_STRONG_RNG=1 diff --git a/meta-stx/recipes-connectivity/openssh/openssh_7.%.bbappend b/meta-stx/recipes-connectivity/openssh/openssh_7.%.bbappend new file mode 100644 index 0000000..e745d7e --- /dev/null +++ b/meta-stx/recipes-connectivity/openssh/openssh_7.%.bbappend @@ -0,0 +1,55 @@ +# +## Copyright (C) 2019 Wind River Systems, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI += "\ + file://stx/sshd.init \ + file://stx/sshd-keygen \ + file://stx/sshd-keygen.service \ + file://stx/sshd.service \ + file://stx/sshd.sysconfig \ +" + +SYSTEMD_SERVICE_${PN}-sshd = "sshd.service" + +do_install_append () { + rm -f ${D}${systemd_system_unitdir}/sshd.socket + rm -f ${D}${systemd_system_unitdir}/sshd@service.socket + rm -f ${D}${systemd_system_unitdir}/sshdgenkeys.service + + install -d ${D}/${sysconfdir}/init.d/ + install -m 755 ${WORKDIR}/stx/sshd.init ${D}/${sysconfdir}/init.d/sshd + + install -d ${D}/${sysconfdir}/sysconfig/ + install -m 644 ${WORKDIR}/stx/sshd.sysconfig ${D}/${sysconfdir}/sysconfig/sshd + + install -m 755 ${WORKDIR}/stx/sshd-keygen ${D}/${sbindir}/sshd-keygen + install -m644 ${WORKDIR}/stx/sshd.service ${D}/${systemd_system_unitdir}/sshd.service + install -m644 ${WORKDIR}/stx/sshd-keygen.service ${D}/${systemd_system_unitdir}/sshd-keygen.service + + install -d ${D}/${sysconfdir}/tmpfiles.d + echo "d ${localstatedir}/run/sshd 0755 root root -" >> ${D}/${sysconfdir}/tmpfiles.d/sshd.conf + +} + +RDEPENDS_${PN} += "bash" +RDEPENDS_${PN}-sshd += "bash" + +# allow both systemd service and sysvinit scripts are installed +DISTRO_FEATURES_BACKFILL_CONSIDERED_remove = "sysvinit" + +USERADD_PARAM_${PN}-sshd = "-r -d /var/empty/sshd -s /sbin/nologin -g sshd -c 'Privilege-separated SSH' sshd" +GROUPADD_PARAM_${PN}-sshd = "-r ssh_keys; -r sshd" diff --git a/meta-stx/recipes-core/stx-config-files/config-files_1.0.0.bb b/meta-stx/recipes-core/stx-config-files/config-files_1.0.0.bb index da6e623..4c8a4d0 100644 --- a/meta-stx/recipes-core/stx-config-files/config-files_1.0.0.bb +++ b/meta-stx/recipes-core/stx-config-files/config-files_1.0.0.bb @@ -499,27 +499,43 @@ pkg_postinst_ontarget_openldap-config() { chmod 644 ${systemd_system_unitdir}/slapd } -pkg_postinst_ontarget_openssh-config() { +pkg_postinst_openssh-config() { # %description # package StarlingX configuration files of openssh to system folder. - SRCPATH=${datadir}/starlingx/config-files/openssh-config/files + SRCPATH=$D${datadir}/starlingx/config-files/openssh-config/files - install -m 644 ${SRCPATH}/sshd.service ${sysconfdir}/systemd/system/sshd.service - install -m 644 ${SRCPATH}/ssh_config ${datadir}/starlingx/ssh_config - install -m 600 ${SRCPATH}/sshd_config ${datadir}/starlingx/sshd_config + install -m 644 ${SRCPATH}/sshd.service $D${sysconfdir}/systemd/system/sshd.service + install -m 644 ${SRCPATH}/ssh_config $D${datadir}/starlingx/ssh_config + install -m 600 ${SRCPATH}/sshd_config $D${datadir}/starlingx/sshd_config # remove the unsupported and deprecated options sed -i -e 's/^\(GSSAPIAuthentication.*\)/#\1/' \ -e 's/^\(GSSAPICleanupCredentials.*\)/#\1/' \ -e 's/^\(UsePrivilegeSeparation.*\)/#\1/' \ - ${datadir}/starlingx/sshd_config + $D${datadir}/starlingx/sshd_config - sed -i -e 's/\(GSSAPIAuthentication yes\)/#\1/' ${datadir}/starlingx/ssh_config + sed -i -e 's/\(GSSAPIAuthentication yes\)/#\1/' $D${datadir}/starlingx/ssh_config - cp -f ${datadir}/starlingx/ssh_config ${sysconfdir}/ssh/ssh_config - cp -f ${datadir}/starlingx/sshd_config ${sysconfdir}/ssh/sshd_config + cp -f $D${datadir}/starlingx/ssh_config $D${sysconfdir}/ssh/ssh_config + cp -f $D${datadir}/starlingx/sshd_config $D${sysconfdir}/ssh/sshd_config + + # enable syslog-ng service by default + OPTS="" + if [ -n "$D" ]; then + OPTS="--root=$D" + fi + if [ -z "$D" ]; then + systemctl daemon-reload + fi + + systemctl $OPTS enable sshd.service + + if [ -z "$D" ]; then + systemctl --no-block restart sshd.service + fi + } pkg_postinst_ontarget_openvswitch-config() { -- 2.16.6