| Message ID | cover.1710177387.git.enrico.scholz@sigma-chemnitz.de |
|---|---|
| Headers | show |
| Series | Replace sshd_config patching by snippets | expand |
It's a very much welcome refactoring (existing code is an inconsistent mess), but there's also a feature freeze right now, and this patchset is invasive. Can you resubmit once the LTS is out? Alex On Mon, 11 Mar 2024 at 18:19, Enrico Scholz via lists.openembedded.org <enrico.scholz=sigma-chemnitz.de@lists.openembedded.org> wrote: > > To deal with system setups, sshd was configured in the following way: > > - sshd_config is shipped completely by OE and DISTRO_FEATURES (pam, > x11) are patched in during do_install > > --> this is difficulty to maintain; e.g. sshd_config must be > synchronized between OpenSSH releases and OE adaptations > manually inserted > > - two different configuration files (sshd_config + sshd_config_readonly) > are created; IMAGE_FEATURES decides which one is used and it is patched > in a ROOTFS_COMMAND in the system > > --> this make it difficult for third party recipes to incorporate > their changes (they have to go over both files) > > --> the readonly HostKey locations and algorithms are hardcoded > which makes it difficult to place them e.g. on a persistent > /opt partition and disable e.g. ecdsa > > - depending on IMAGE_FEATURES (empty passwords, root login), both > files are patched by a ROOTFS_POSTCOMMAND > > --> these changes are lost when pkgmgmt is used for the image and > openssh being updated > > > The patchset: > > - reduces changes to sshd_config to > > | Include /etc/ssh/sshd_config.d/*.conf > > --> This is already the done in current recipe and most mainline > Linux distributions are doing it > > - moves configuration in new openssh-config recipe which is a weak > dependency of openssh (and can be replaced by another IMAGE_INSTALL) > > Recipe ships configuration as small snippets which might contain > dynamically created content (e.g. 'UsePAM yes') > > - IMAGE_FEATURE based setup is done by creating subpackages with > the corresponding options. These subpackages are added to > FEATURE_PACKAGES_ssh-server-openssh > > - readonly rootfs setup has been enhanced by > > | RO_KEYDIR ??= "/var/run/ssh" > | KEY_ALGORITHMS ??= "rsa ecdsa ed25519" > > parameters which can be overridden. > > > Enrico Scholz (7): > openssh: replace complete configuration files by patch > openssh-config: initial checkin > openssh: move configuration tweaking in configuration recipe > image: prepare openssh configuration > openssh: replace 'allow-empty-password' rootfs scipt by configuration > openssh: replace 'allow-root-login' rootfs scipt by configuration > openssh: move read-only-rootfs setup in configuration snippet > > meta/classes-recipe/core-image.bbclass | 19 ++- > .../rootfs-postcommands.bbclass | 25 +--- > .../openssh/openssh-config.bb | 51 ++++++++ > .../60-allow-empty-password.conf | 1 + > .../openssh-config/60-allow-root-login.conf | 1 + > .../openssh/openssh-config/80-oe.conf | 5 + > .../openssh/openssh/include-conf.patch | 32 +++++ > .../openssh/openssh/ssh_config | 48 ------- > .../openssh/openssh/sshd_config | 119 ------------------ > .../openssh/openssh_9.6p1.bb | 20 +-- > 10 files changed, 112 insertions(+), 209 deletions(-) > create mode 100644 meta/recipes-connectivity/openssh/openssh-config.bb > create mode 100644 meta/recipes-connectivity/openssh/openssh-config/60-allow-empty-password.conf > create mode 100644 meta/recipes-connectivity/openssh/openssh-config/60-allow-root-login.conf > create mode 100644 meta/recipes-connectivity/openssh/openssh-config/80-oe.conf > create mode 100644 meta/recipes-connectivity/openssh/openssh/include-conf.patch > delete mode 100644 meta/recipes-connectivity/openssh/openssh/ssh_config > delete mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_config > > -- > 2.44.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#196955): https://lists.openembedded.org/g/openembedded-core/message/196955 > Mute This Topic: https://lists.openembedded.org/mt/104868003/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Mon, 2024-03-11 at 10:19 -0700, Enrico Scholz via lists.openembedded.org wrote: > To deal with system setups, sshd was configured in the following way: > > - sshd_config is shipped completely by OE and DISTRO_FEATURES (pam, > x11) are patched in during do_install > > --> this is difficulty to maintain; e.g. sshd_config must be > synchronized between OpenSSH releases and OE adaptations > manually inserted > > - two different configuration files (sshd_config + sshd_config_readonly) > are created; IMAGE_FEATURES decides which one is used and it is patched > in a ROOTFS_COMMAND in the system > > --> this make it difficult for third party recipes to incorporate > their changes (they have to go over both files) > > --> the readonly HostKey locations and algorithms are hardcoded > which makes it difficult to place them e.g. on a persistent > /opt partition and disable e.g. ecdsa > > - depending on IMAGE_FEATURES (empty passwords, root login), both > files are patched by a ROOTFS_POSTCOMMAND > > --> these changes are lost when pkgmgmt is used for the image and > openssh being updated > > > The patchset: > > - reduces changes to sshd_config to > > | Include /etc/ssh/sshd_config.d/*.conf > > --> This is already the done in current recipe and most mainline > Linux distributions are doing it > > - moves configuration in new openssh-config recipe which is a weak > dependency of openssh (and can be replaced by another IMAGE_INSTALL) > > Recipe ships configuration as small snippets which might contain > dynamically created content (e.g. 'UsePAM yes') > > - IMAGE_FEATURE based setup is done by creating subpackages with > the corresponding options. These subpackages are added to > FEATURE_PACKAGES_ssh-server-openssh > > - readonly rootfs setup has been enhanced by > > | RO_KEYDIR ??= "/var/run/ssh" > | KEY_ALGORITHMS ??= "rsa ecdsa ed25519" > > parameters which can be overridden. Thanks for sending this. I suspect something like this might be desirable however unfortunately the timing is a little tricky as we're just past the feature freeze point for 5.0. I know people often want to push for the inclusion of things into something like the LTS so I did put this through the automated testing, just to get an idea of the potential issues. The first run had lots of these warnings: https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/8649/steps/14/logs/warnings so I squashed a fix in for that. The second run had this: https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6390/steps/12/logs/stdio which suggests ssh connections into our image testing doesn't work. It is unclear why that is failing there but there were indications in the previous build that other ssh connections were working ok. It could be dropbear vs openssh at a guess. That build is still ongoing too so there may be other issues. Anyway I just wanted to highlight the testing results and to say that this is something we should think about but it will have to wait until after 5.0 releases. I haven't reviewed the patches in much detail, I mainly wanted to get the automated testing results shared. Cheers, Richard
On Thu, 2024-03-14 at 11:00 +0000, Richard Purdie via lists.openembedded.org wrote: > On Mon, 2024-03-11 at 10:19 -0700, Enrico Scholz via > lists.openembedded.org wrote: > > To deal with system setups, sshd was configured in the following > > way: > > > > - sshd_config is shipped completely by OE and DISTRO_FEATURES > > (pam, > > x11) are patched in during do_install > > > > --> this is difficulty to maintain; e.g. sshd_config must be > > synchronized between OpenSSH releases and OE adaptations > > manually inserted > > > > - two different configuration files (sshd_config + > > sshd_config_readonly) > > are created; IMAGE_FEATURES decides which one is used and it is > > patched > > in a ROOTFS_COMMAND in the system > > > > --> this make it difficult for third party recipes to > > incorporate > > their changes (they have to go over both files) > > > > --> the readonly HostKey locations and algorithms are hardcoded > > which makes it difficult to place them e.g. on a persistent > > /opt partition and disable e.g. ecdsa > > > > - depending on IMAGE_FEATURES (empty passwords, root login), both > > files are patched by a ROOTFS_POSTCOMMAND > > > > --> these changes are lost when pkgmgmt is used for the image > > and > > openssh being updated > > > > > > The patchset: > > > > - reduces changes to sshd_config to > > > > | Include /etc/ssh/sshd_config.d/*.conf > > > > --> This is already the done in current recipe and most mainline > > Linux distributions are doing it > > > > - moves configuration in new openssh-config recipe which is a weak > > dependency of openssh (and can be replaced by another > > IMAGE_INSTALL) > > > > Recipe ships configuration as small snippets which might contain > > dynamically created content (e.g. 'UsePAM yes') > > > > - IMAGE_FEATURE based setup is done by creating subpackages with > > the corresponding options. These subpackages are added to > > FEATURE_PACKAGES_ssh-server-openssh > > > > - readonly rootfs setup has been enhanced by > > > > | RO_KEYDIR ??= "/var/run/ssh" > > | KEY_ALGORITHMS ??= "rsa ecdsa ed25519" > > > > parameters which can be overridden. > > > Thanks for sending this. I suspect something like this might be > desirable however unfortunately the timing is a little tricky as > we're > just past the feature freeze point for 5.0. > > I know people often want to push for the inclusion of things into > something like the LTS so I did put this through the automated > testing, > just to get an idea of the potential issues. > > The first run had lots of these warnings: > > https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/8649/steps/14/logs/warnings > > so I squashed a fix in for that. The second run had this: > > https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6390/steps/12/logs/stdio > > which suggests ssh connections into our image testing doesn't work. > It > is unclear why that is failing there but there were indications in > the > previous build that other ssh connections were working ok. It could > be > dropbear vs openssh at a guess. That build is still ongoing too so > there may be other issues. > > Anyway I just wanted to highlight the testing results and to say that > this is something we should think about but it will have to wait > until > after 5.0 releases. > > I haven't reviewed the patches in much detail, I mainly wanted to get > the automated testing results shared. Some further related warnings: https://autobuilder.yoctoproject.org/typhoon/#/builders/23/builds/9031/steps/11/logs/warnings Cheers, Richard
Richard Purdie <richard.purdie@linuxfoundation.org> writes: > Thanks for sending this. I suspect something like this might be > desirable however unfortunately the timing is a little tricky as we're > just past the feature freeze point for 5.0. ok; my fault. I delayed it too much. Would it be possible to communicate such schedules more visibly? E.g. put a link on https://wiki.yoctoproject.org/wiki/Releases ? > https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/8649/steps/14/logs/warnings ok > so I squashed a fix in for that. The second run had this: > > https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6390/steps/12/logs/stdio It is difficulty for me to analyze this from the outside. The patchset requires that the 'openssh-sshd' IMAGE_FEATURE is set; installing the package manually does not suffice anymore. I can not detect such an IMAGE_FEATURE configuration in step 10; but I might miss other setup. Enrico
On Thu, 2024-03-14 at 15:11 +0100, Enrico Scholz wrote: > Richard Purdie <richard.purdie@linuxfoundation.org> writes: > > > Thanks for sending this. I suspect something like this might be > > desirable however unfortunately the timing is a little tricky as > > we're > > just past the feature freeze point for 5.0. > > ok; my fault. I delayed it too much. > > Would it be possible to communicate such schedules more visibly? > E.g. put a link on https://wiki.yoctoproject.org/wiki/Releases ? The dates are being updated here: https://wiki.yoctoproject.org/wiki/Weekly_Status and in weekly status emails sent to the yocto and openembedded-core mailing lists. > > https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/8649/steps/14/logs/warnings > > ok > > > > so I squashed a fix in for that. The second run had this: > > > > https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6390/steps/12/logs/stdio > > It is difficulty for me to analyze this from the outside. The > patchset requires that the 'openssh-sshd' IMAGE_FEATURE is set; > installing the package manually does not suffice anymore. That is probably something we may need to improve since lots of others would expect installing the package to work. I suspect meta/recipes-core/images/core-image-ptest.bb setting IMAGE_INSTALL:append = " ${MCNAME}-ptest openssh" will be the cause. I don't really time to spend thinking about this now unfortunately as there will be other priorities for the release. Cheers, Richard
Richard Purdie <richard.purdie@linuxfoundation.org> writes: > Some further related warnings: > > https://autobuilder.yoctoproject.org/typhoon/#/builders/23/builds/9031/steps/11/logs/warnins | stdio: WARNING: Nothing RPROVIDES 'nativesdk-openssh-config' ... ok I will reduce dependency from |-RRECOMMENDS:${PN} += "openssh-config" to |+RRECOMMENDS:${PN}-sshd:class-target += "openssh-config" | stdio: WARNING: Nothing RPROVIDES 'nativesdk-openssh-scp' ... | stdio: WARNING: Nothing RPROVIDES 'nativesdk-openssh-sshd' ... | stdio: WARNING: Nothing RPROVIDES 'nativesdk-openssh-ssh' ... are these warnings really new? Enrico
On Thu, 14 Mar 2024 at 15:57, Enrico Scholz via lists.openembedded.org <enrico.scholz=sigma-chemnitz.de@lists.openembedded.org> wrote: > | stdio: WARNING: Nothing RPROVIDES 'nativesdk-openssh-scp' ... > | stdio: WARNING: Nothing RPROVIDES 'nativesdk-openssh-sshd' ... > | stdio: WARNING: Nothing RPROVIDES 'nativesdk-openssh-ssh' ... > > are these warnings really new? They are. Warnings are not allowed to creep in and linger around, so master is always free of them (except for intermittent ptest fails, which this one isn't). Alex
To deal with system setups, sshd was configured in the following way: - sshd_config is shipped completely by OE and DISTRO_FEATURES (pam, x11) are patched in during do_install --> this is difficulty to maintain; e.g. sshd_config must be synchronized between OpenSSH releases and OE adaptations manually inserted - two different configuration files (sshd_config + sshd_config_readonly) are created; IMAGE_FEATURES decides which one is used and it is patched in a ROOTFS_COMMAND in the system --> this make it difficult for third party recipes to incorporate their changes (they have to go over both files) --> the readonly HostKey locations and algorithms are hardcoded which makes it difficult to place them e.g. on a persistent /opt partition and disable e.g. ecdsa - depending on IMAGE_FEATURES (empty passwords, root login), both files are patched by a ROOTFS_POSTCOMMAND --> these changes are lost when pkgmgmt is used for the image and openssh being updated The patchset: - reduces changes to sshd_config to | Include /etc/ssh/sshd_config.d/*.conf --> This is already the done in current recipe and most mainline Linux distributions are doing it - moves configuration in new openssh-config recipe which is a weak dependency of openssh (and can be replaced by another IMAGE_INSTALL) Recipe ships configuration as small snippets which might contain dynamically created content (e.g. 'UsePAM yes') - IMAGE_FEATURE based setup is done by creating subpackages with the corresponding options. These subpackages are added to FEATURE_PACKAGES_ssh-server-openssh - readonly rootfs setup has been enhanced by | RO_KEYDIR ??= "/var/run/ssh" | KEY_ALGORITHMS ??= "rsa ecdsa ed25519" parameters which can be overridden. Enrico Scholz (7): openssh: replace complete configuration files by patch openssh-config: initial checkin openssh: move configuration tweaking in configuration recipe image: prepare openssh configuration openssh: replace 'allow-empty-password' rootfs scipt by configuration openssh: replace 'allow-root-login' rootfs scipt by configuration openssh: move read-only-rootfs setup in configuration snippet meta/classes-recipe/core-image.bbclass | 19 ++- .../rootfs-postcommands.bbclass | 25 +--- .../openssh/openssh-config.bb | 51 ++++++++ .../60-allow-empty-password.conf | 1 + .../openssh-config/60-allow-root-login.conf | 1 + .../openssh/openssh-config/80-oe.conf | 5 + .../openssh/openssh/include-conf.patch | 32 +++++ .../openssh/openssh/ssh_config | 48 ------- .../openssh/openssh/sshd_config | 119 ------------------ .../openssh/openssh_9.6p1.bb | 20 +-- 10 files changed, 112 insertions(+), 209 deletions(-) create mode 100644 meta/recipes-connectivity/openssh/openssh-config.bb create mode 100644 meta/recipes-connectivity/openssh/openssh-config/60-allow-empty-password.conf create mode 100644 meta/recipes-connectivity/openssh/openssh-config/60-allow-root-login.conf create mode 100644 meta/recipes-connectivity/openssh/openssh-config/80-oe.conf create mode 100644 meta/recipes-connectivity/openssh/openssh/include-conf.patch delete mode 100644 meta/recipes-connectivity/openssh/openssh/ssh_config delete mode 100644 meta/recipes-connectivity/openssh/openssh/sshd_config