Linux Archive - Start ssh with systemd, not in anaconda (#824580)

Linux Archive (http://www.linux-archive.org/)

- Debian GCC (http://www.linux-archive.org/debian-gcc/)

- - Start ssh with systemd, not in anaconda (#824580) (http://www.linux-archive.org/debian-gcc/672188-start-ssh-systemd-not-anaconda-824580-a.html)

Start ssh with systemd, not in anaconda (#824580)

In this take:

1) sshd is started always, regardless of sshd boot option,
(as in s390x) with empty root password.

2) sshpw kickstart command works, so root/users passwords can be set,
but this happens in anaconda so between sshd and anaconda is run
there is root ssh access without password.

Is this ok for alpha2?
To achieve original behaviour we'll need to parse sshd option in dracut and
change sshd (and/or perhaps anaconda/sshd systemd) configuration files in dracut.
Setting passwords (at least for root) already in dracut may be needed.
I'd need to consult this with Will, or leave it to him.

Resolves: rhbz#824580
---
data/systemd/anaconda.target | 1 +
pyanaconda/sshd.py | 46 ++++-------------------------------------
2 files changed, 6 insertions(+), 41 deletions(-)

diff --git a/data/systemd/anaconda.target b/data/systemd/anaconda.target
index 983ff3b..1af847d 100644
--- a/data/systemd/anaconda.target
+++ b/data/systemd/anaconda.target
@@ -9,3 +9,4 @@ Wants=rsyslog.service
Wants=udev-settle.service
Wants=NetworkManager.service
Wants=plymouth-quit.service plymouth-quit-wait.service
+Wants=sshd.service
diff --git a/pyanaconda/sshd.py b/pyanaconda/sshd.py
index b6c9372..300d943 100644
--- a/pyanaconda/sshd.py
+++ b/pyanaconda/sshd.py
@@ -23,34 +23,16 @@ import logging
import os, sys
log = logging.getLogger("anaconda")

-import iutil
import users
from flags import flags
from constants import ROOT_PATH

-def createSshKey(algorithm, keyfile):
- path = '/etc/ssh/%s' % (keyfile,)
- argv = ['-q','-t',algorithm,'-f',path,'-C',','-N',']
- if os.access(path, os.R_OK):
- return
- log.debug("running "%s"" % (" ".join(['ssh-keygen']+argv),))
-
- so = "/tmp/ssh-keygen-%s-stdout.log" % (algorithm,)
- se = "/tmp/ssh-keygen-%s-stderr.log" % (algorithm,)
- iutil.execWithRedirect('ssh-keygen', argv, stdout=so, stderr=se)
-
def doSshd(anaconda):
- if flags.sshd:
- # we need to have a libuser.conf that points to the installer root for
- # sshpw, but after that we start sshd, we need one that points to the
- # install target.
- luserConf = users.createLuserConf(instPath="")
- handleSshPw(anaconda)
- startSsh()
- del(os.environ["LIBUSER_CONF"])
- else:
- log.info("sshd: not enabled, skipping.")
-
+ # we need to have a libuser.conf that points to the installer root for
+ # sshpw, but after that we need one that points to the install target.
+ luserConf = users.createLuserConf(instPath="")
+ handleSshPw(anaconda)
+ del(os.environ["LIBUSER_CONF"])
users.createLuserConf(ROOT_PATH)

def handleSshPw(anaconda):
@@ -70,21 +52,3 @@ def handleSshPw(anaconda):
u.createUser(ud.username, **kwargs)

del u
-
-def startSsh():
- if iutil.isS390():
- return
-
- if not iutil.fork_orphan():
- os.open("/var/log/lastlog", os.O_RDWR | os.O_CREAT, 0644)
- ssh_keys = {
- 'rsa1':'ssh_host_key',
- 'rsa':'ssh_host_rsa_key',
- 'dsa':'ssh_host_dsa_key',
- }
- for (algorithm, keyfile) in ssh_keys.items():
- createSshKey(algorithm, keyfile)
- sshd = iutil.find_program_in_path("sshd")
- args = [sshd, "-f", "/etc/ssh/sshd_config.anaconda"]
- os.execv(sshd, args)
- sys.exit(1)
--
1.7.4

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list

Start ssh with systemd, not in anaconda (#824580)

---
share/config_files/common/sshd_config | 18 ++++++++++++++++++
share/config_files/common/sshd_config.anaconda | 17 -----------------
share/runtime-postinstall.tmpl | 2 +-
3 files changed, 19 insertions(+), 18 deletions(-)
create mode 100644 share/config_files/common/sshd_config
delete mode 100644 share/config_files/common/sshd_config.anaconda

diff --git a/share/config_files/common/sshd_config b/share/config_files/common/sshd_config
new file mode 100644
index 0000000..c826f07
--- /dev/null
+++ b/share/config_files/common/sshd_config
@@ -0,0 +1,18 @@
+# Anaconda installer settings
+Port 22
+HostKey /etc/ssh/ssh_host_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+PermitRootLogin yes
+IgnoreRhosts yes
+StrictModes yes
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd yes
+XAuthLocation /sbin/xauth
+KeepAlive yes
+SyslogFacility AUTHPRIV
+RSAAuthentication yes
+PasswordAuthentication yes
+PermitEmptyPasswords yes
+PermitUserEnvironment yes
diff --git a/share/config_files/common/sshd_config.anaconda b/share/config_files/common/sshd_config.anaconda
deleted file mode 100644
index 0c0404c..0000000
--- a/share/config_files/common/sshd_config.anaconda
+++ /dev/null
@@ -1,17 +0,0 @@
-Port 22
-HostKey /etc/ssh/ssh_host_key
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-PermitRootLogin yes
-IgnoreRhosts yes
-StrictModes yes
-X11Forwarding yes
-X11DisplayOffset 10
-PrintMotd yes
-XAuthLocation /sbin/xauth
-KeepAlive yes
-SyslogFacility AUTHPRIV
-RSAAuthentication yes
-PasswordAuthentication yes
-PermitEmptyPasswords yes
-PermitUserEnvironment yes
diff --git a/share/runtime-postinstall.tmpl b/share/runtime-postinstall.tmpl
index a1acea0..f2be3f4 100644
--- a/share/runtime-postinstall.tmpl
+++ b/share/runtime-postinstall.tmpl
@@ -47,7 +47,7 @@ install ${configdir}/libuser.conf etc
%endif

## set up sshd
-install ${configdir}/sshd_config.anaconda etc/ssh
+install ${configdir}/sshd_config etc/ssh
install ${configdir}/pam.sshd etc/pam.d/sshd
install ${configdir}/pam.sshd etc/pam.d/login
install ${configdir}/pam.sshd etc/pam.d/remote
--
1.7.4

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list

Start ssh with systemd, not in anaconda (#824580)

On 05/29/2012 05:36 AM, Radek Vykydal wrote:

In this take:

1) sshd is started always, regardless of sshd boot option,
(as in s390x) with empty root password.

2) sshpw kickstart command works, so root/users passwords can be set,
but this happens in anaconda so between sshd and anaconda is run
there is root ssh access without password.

Is this ok for alpha2?
To achieve original behaviour we'll need to parse sshd option in dracut and
change sshd (and/or perhaps anaconda/sshd systemd) configuration files in dracut.
Setting passwords (at least for root) already in dracut may be needed.
I'd need to consult this with Will, or leave it to him.

In the s390 case we don't want anaconda to start, what we want is the
sshd server brought up, and a message displayed to the user to ssh in as
install@<host>. The install user has a shell set to launch anaconda.

What I've been playing with locally is changing what the
anaconda@.service executes. I created a simple anaconda.sh that will
just echo "Please ssh -x install@<host> to start Anaconda", and I makde
the anaconda@.service execute that. Then /sbin/anaconda gets launched
by the install user.

What we could do is a bit more of a shim in /sbin/anaconda or
/sbin/anaconda.sh or wherever. If the arch is s390, then it'll do the
echo and exit, but if it's not s390 then it'll continue on to actually
launch anaconda.

I don't think this solves the root password problem, but as you said we
can move that into dracut for parsing, so that it can be done prior to
sshd service bring up. The dracut parsing could also set a file or flag
for the sshd service to be enabled/disabled, again if s390 forcing it
on. Not quite sure what this would look like, just an idea.

--
Jesse Keating
Fedora -- Freedom² is a feature!

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list

Start ssh with systemd, not in anaconda (#824580)

On 05/29/2012 05:36 AM, Radek Vykydal wrote:

diff --git a/data/systemd/anaconda.target b/data/systemd/anaconda.target
index 983ff3b..1af847d 100644
--- a/data/systemd/anaconda.target
+++ b/data/systemd/anaconda.target
@@ -9,3 +9,4 @@ Wants=rsyslog.service
Wants=udev-settle.service
Wants=NetworkManager.service
Wants=plymouth-quit.service plymouth-quit-wait.service
+Wants=sshd.service

This part is fine, provided we can find some way to toggle it on/off
from dracut (if that's still desired, not sure how sshd would work if
there is no network brought up)

diff --git a/pyanaconda/sshd.py b/pyanaconda/sshd.py
index b6c9372..300d943 100644
--- a/pyanaconda/sshd.py
+++ b/pyanaconda/sshd.py
@@ -23,34 +23,16 @@ import logging
import os, sys
log = logging.getLogger("anaconda")

-import iutil
import users
from flags import flags
from constants import ROOT_PATH

-def createSshKey(algorithm, keyfile):
- path = '/etc/ssh/%s' % (keyfile,)
- argv = ['-q','-t',algorithm,'-f',path,'-C',','-N',']
- if os.access(path, os.R_OK):
- return
- log.debug("running "%s"" % (" ".join(['ssh-keygen']+argv),))
-
- so = "/tmp/ssh-keygen-%s-stdout.log" % (algorithm,)
- se = "/tmp/ssh-keygen-%s-stderr.log" % (algorithm,)
- iutil.execWithRedirect('ssh-keygen', argv, stdout=so, stderr=se)
-
def doSshd(anaconda):
- if flags.sshd:
- # we need to have a libuser.conf that points to the installer root for
- # sshpw, but after that we start sshd, we need one that points to the
- # install target.
- luserConf = users.createLuserConf(instPath="")
- handleSshPw(anaconda)
- startSsh()
- del(os.environ["LIBUSER_CONF"])
- else:
- log.info("sshd: not enabled, skipping.")
-
+ # we need to have a libuser.conf that points to the installer root for
+ # sshpw, but after that we need one that points to the install target.
+ luserConf = users.createLuserConf(instPath="")
+ handleSshPw(anaconda)
+ del(os.environ["LIBUSER_CONF"])
users.createLuserConf(ROOT_PATH)

def handleSshPw(anaconda):
@@ -70,21 +52,3 @@ def handleSshPw(anaconda):
u.createUser(ud.username, **kwargs)

del u
-
-def startSsh():
- if iutil.isS390():
- return
-
- if not iutil.fork_orphan():
- os.open("/var/log/lastlog", os.O_RDWR | os.O_CREAT, 0644)
- ssh_keys = {
- 'rsa1':'ssh_host_key',
- 'rsa':'ssh_host_rsa_key',
- 'dsa':'ssh_host_dsa_key',
- }
- for (algorithm, keyfile) in ssh_keys.items():
- createSshKey(algorithm, keyfile)
- sshd = iutil.find_program_in_path("sshd")
- args = [sshd, "-f", "/etc/ssh/sshd_config.anaconda"]
- os.execv(sshd, args)
- sys.exit(1)
-- 1.7.4

I'd like to see if we can do the sshd password setting from dracut,
since it needs to happen prior to anaconda launch on s390.

--
Jesse Keating
Fedora -- Freedom² is a feature!

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list