diff options
author | CamVan Nguyen <ctnguyen@us.ibm.com> | 2018-02-20 22:28:52 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-03-01 17:00:34 +0300 |
commit | b6f7e109a5f18d50e1d0a09c6e5232b6300a314b (patch) | |
tree | c8cee1d076d76cd4f0f01694d88bd293f174fef5 /meta-phosphor/common | |
parent | fda75e54b2d90855e0edba27f1f94be9bf12b27d (diff) | |
download | openbmc-b6f7e109a5f18d50e1d0a09c6e5232b6300a314b.tar.xz |
dropbear: Don't load default host keys
On an ssh connection, we are getting Warning messages similar to below:
dropbear[3956]: Failed loading /etc/dropbear/dropbear_rsa_host_key
dropbear[3956]: Failed loading /etc/dropbear/dropbear_dss_host_key
dropbear[3956]: Failed loading /etc/dropbear/dropbear_ecdsa_host_key
This is because dropbearkey.service creates the RSA host key in
/var/lib/dropbear and does not create any DSS and ECDSA host keys.
And the dropbear service is started with the -r option which
points to /var/lib/dropbear/dropbear_rsa_host_key as the key to
load. However, dropbear will attempt to load any key specified
by the -r option as well as all 3 keys from the default path
/etc/dropbear. This is a change to dropbear to not load the 3
keys from /etc/dropbear by default if a key and path is specified
by the dropbear -r option. This will get rid of the above Warning
messages which can fill up the log buffer in a Continuous Test
environment where many ssh connections are made.
This change has been upstreamed.
Resolves openbmc/openbmc#1340
Resolves openbmc/openbmc#1998
Change-Id: I58f8290f68a6eba7e3a77986a8ecb0ebdf321352
Signed-off-by: CamVan Nguyen <ctnguyen@us.ibm.com>
Diffstat (limited to 'meta-phosphor/common')
2 files changed, 47 insertions, 1 deletions
diff --git a/meta-phosphor/common/recipes-core/dropbear/dropbear/0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch b/meta-phosphor/common/recipes-core/dropbear/dropbear/0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch new file mode 100644 index 000000000..e32baec83 --- /dev/null +++ b/meta-phosphor/common/recipes-core/dropbear/dropbear/0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch @@ -0,0 +1,42 @@ +From 95eff1ca0beea55259c2cdc7f1bb9f930bf57bc8 Mon Sep 17 00:00:00 2001 +From: CamVan Nguyen <ctnguyen@us.ibm.com> +Date: Tue, 13 Feb 2018 15:37:47 -0600 +Subject: [PATCH 1/1] Only load dropbear default host keys if a key is not + specified + +--- + svr-runopts.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/svr-runopts.c b/svr-runopts.c +index 8f60059..c5c2148 100644 +--- a/svr-runopts.c ++++ b/svr-runopts.c +@@ -488,17 +488,21 @@ void load_all_hostkeys() { + m_free(hostkey_file); + } + ++ /* Only load default host keys if a host key is not specified by the ++ * user */ ++ if (0 == svr_opts.num_hostkey_files) { + #ifdef DROPBEAR_RSA +- loadhostkey(RSA_PRIV_FILENAME, 0); ++ loadhostkey(RSA_PRIV_FILENAME, 0); + #endif + + #ifdef DROPBEAR_DSS +- loadhostkey(DSS_PRIV_FILENAME, 0); ++ loadhostkey(DSS_PRIV_FILENAME, 0); + #endif + + #ifdef DROPBEAR_ECDSA +- loadhostkey(ECDSA_PRIV_FILENAME, 0); ++ loadhostkey(ECDSA_PRIV_FILENAME, 0); + #endif ++ } + + #ifdef DROPBEAR_DELAY_HOSTKEY + if (svr_opts.delay_hostkey) { +-- +1.8.2.2 + diff --git a/meta-phosphor/common/recipes-core/dropbear/dropbear_%.bbappend b/meta-phosphor/common/recipes-core/dropbear/dropbear_%.bbappend index 51a98d424..165a19e44 100644 --- a/meta-phosphor/common/recipes-core/dropbear/dropbear_%.bbappend +++ b/meta-phosphor/common/recipes-core/dropbear/dropbear_%.bbappend @@ -1,7 +1,11 @@ inherit obmc-phosphor-discovery-service +# 0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch +# has been upstreamed. This patch can be removed once we upgrade +# to yocto 2.5 or later which will pull in the latest dropbear code. FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" SRC_URI += "file://dropbearkey.service \ - file://0001-dropbear-Add-c-command-option-to-force-a-specific-co.patch" + file://0001-dropbear-Add-c-command-option-to-force-a-specific-co.patch \ + file://0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch" REGISTERED_SERVICES_${PN} += "ssh:tcp:22 sftp:tcp:22" |