2

I'm building my custom distribution for RPi using Yocto. My distro includes ssh server (dropbear, but the question is valid for openssh also)

One of the annoying things that I notices is that every time I flash a newly-built image to the board, I get a new SSH host key, which in turn causes my ssh client to warn me that the server's host key has changed, and I need to remove the server's fingerprint from /etc/known_hosts.

I wonder if there is a built-in mechanism for supplying secrets for the build-system without putting them into source-control.

More specifically - is there a way to tell yocto "take this key file as the host key for dropbear/sshd"?

Avi Shukron
  • 6,088
  • 8
  • 50
  • 84

2 Answers2

3

You can have a recipe that installs the key at the correct location. This key will be generated by you beforehand and "put" into an externalsrc recipe (inherit externalsrc and set EXTERNALSRC appropriately which can point to any path on the host system). The recipe lives in the version control environment you use but the key stays outside of it. Then you just add the resulting package to your image.

qschulz
  • 1,543
  • 1
  • 9
  • 10
  • Thanks! I didn't know about EXTERNALSRC. Is it possible for the recipe to generate a key for you, unless you override EXTERNALSRC for the recipe in your local.conf? – Avi Shukron Dec 15 '20 at 19:44
  • You can also have a recipe that generate the key for you. The plan would then be to make use of the sstate-cache. The key would stay the same until the recipe or one of its build time dependencies changes. A big downside to this is that it's hard to do key management with auto-generated keys. Also, please keep in mind that having the same private key on different devices can be a security issue. – qschulz Dec 15 '20 at 21:37
  • I couldn't get the EXTERNALSRC solution to work... When I set this variable to a key file - bitbake failed with FILE EXIST error, and when I set it to a directory it did not fail, but I had to export EXTERNALSRC manually in the recipe file, in order to use it in do_install. All in all I didn't see a value in `externalsrc` over simply having a custom variable set in `local.conf. – Avi Shukron Dec 18 '20 at 11:46
  • Could you give us the content of the recipe when you tried this? There's probably something you missed and we could help debug it, or at least reproduce and validate it does not work. In which case it should either be reported to the project or fixed or at least documented. – qschulz Dec 18 '20 at 19:45
1

I couldn't get @qschulz solution to work, so I ended up with the following append to openssh (for dropbear only the install location and filename will be different):

# File: recipes-networking/openssh/openssh_%.bbappend
#
# Recipe for installing openssh rsa host key
#

# This variable should be set in your local.conf to point to the host private
# key file
MYDISTRO_HOST_SSH_KEY ?= ""
export MYDISTRO_HOST_SSH_KEY

do_install_append_mydistro() {
    if [ ! -z $MYDISTRO_HOST_SSH_KEY ]; then
        install -d ${D}${sysconfdir}/ssh
        install -m 0600 $MYDISTRO_HOST_SSH_KEY ${D}${sysconfdir}/ssh/ssh_host_rsa_key
    fi
}

FILES_${PN} += "${sysconfdir}/ssh/ssh_host_rsa_key"
Avi Shukron
  • 6,088
  • 8
  • 50
  • 84
  • You should add `MYDISTRO_HOST_SSH_KEY` to `BB_ENV_EXTRAWHITE` in your local.conf otherwise changes to your env variable won't trigger a rebuild of your recipe (it's not watched). c.f. https://docs.yoctoproject.org/bitbake/bitbake-user-manual/bitbake-user-manual-ref-variables.html#term-BB_ENV_EXTRAWHITE Moreover, any change to the keys won't trigger a rebuild either because it won't detect the change since it is not part of the `SRC_URI`. Your suggestion is unfortunately not fully working, or at least there are big shortcomings to it. – qschulz Dec 18 '20 at 19:43