Merge pull request #838 from kernelkit/add-ssh-config

Add ssh config

board/common/rootfs/usr/libexec/infix/mksshkey

@@ -0,0 +1,24 @@
+#!/bin/bash
+# Store and convert RSA PUBLIC/PRIVATE KEYs to be able to use them in
+# OpenSSHd.
+set -e
+
+NAME="$1"
+DIR="$2"
+PUBLIC="$3"
+PRIVATE="$4"
+TMP="$(mktemp)"
+
+echo -e '-----BEGIN RSA PRIVATE KEY-----' > "$DIR/$NAME"
+echo "$PRIVATE" >> "$DIR/$NAME"
+echo -e '-----END RSA PRIVATE KEY-----' >> "$DIR/$NAME"
+
+echo -e "-----BEGIN RSA PUBLIC KEY-----" > "$TMP"
+echo -e "$PUBLIC" >> "$TMP"
+echo -e "-----END RSA PUBLIC KEY-----" >> "$TMP"
+
+ssh-keygen -i -m PKCS8 -f "$TMP" > "$DIR/$NAME.pub"
+chmod 0600 "$DIR/$NAME.pub"
+chmod 0600 "$DIR/$NAME"
+chown sshd:sshd "$DIR/$NAME.pub"
+chown sshd:sshd "$DIR/$NAME"

doc/ChangeLog.md

@@ -15,6 +15,8 @@ All notable changes to the project are documented in this file.
  - Upgrade Linux kernel to 6.12.3 (LTS)
  - Add the possibility to change the boot order for the system with a
    RPC and add boot order to operational datastore.
+ - SSH Server is now configurable, issue #441
+   SSH Server and NETCONF Server now uses the same SSH hostkey in factory-config
 
 ### Fixes
 

doc/branding.md

@@ -60,14 +60,14 @@ rootfs overlay -- with a [VPD](vpd.md) you can even support several!
 ### Variables & Format Specifiers
 
 Parts of the configuration you likely always want to generated, like the
-SSH hostkey used by NETCONF, a unique hostname, or the `admin` user's
+SSH hostkey used by SSH server and NETCONF, a unique hostname, or the `admin` user's
 unique (per-device with a VPD) password hash.  This section lists the
 available keywords, see the next section for examples of how to use
 them:
 
  - **Default password hash:** `$factory$` (from VPD, .dtb, or built-in)  
    XPath: `/ietf-system:system/authentication/user/password`
- - **Default NETCONF hostkey:** `genkey` (regenerated at factory reset)  
+ - **Default SSH and NETCONF hostkey:** `genkey` (regenerated at factory reset)
    XPath: `/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[name='genkey']`
  - **Hostname format specifiers:**  
    XPath: `/ietf-system:system/hostname`
@@ -221,8 +221,8 @@ $ echo "Li0tLS0tLS0uCnwgIC4gLiAgfCBJbmZpeCAtLSBhIE5ldHdvcmsgT3BlcmF0aW5nIFN5c3Rl
 
 **IETF Keystore**
 
-Notice how both the public and private keys are left empty here.  The
-`genkey` is always automatically regenerated after each factory reset.
+Notice how both the public and private keys are left empty here, this
+cause them to be always automatically regenerated after each factory reset.
 Keeping the `factory-config` snippet like this means we can use the same
 file on multiple devices, without risking them sharing the same host
 keys.  Sometimes you may want the same host keys, but that is the easy
@@ -245,8 +245,6 @@ use-case and not documented here.
   },
 ```
 
-The `genkey` is currently only used by the NETCONF SSH backend.
-
 **IETF NETCONF Server**
 
 ```json
@@ -280,6 +278,28 @@ The `genkey` is currently only used by the NETCONF SSH backend.
   },
 ```
 
+**Infix Services**
+```json
+  "infix-services:ssh": {
+    "enabled": true,
+    "hostkey": [
+      "genkey"
+    ],
+    "listen": [
+      {
+        "name": "ipv4",
+        "address": "0.0.0.0",
+        "port": 22
+      },
+      {
+        "name": "ipv6",
+        "address": "::1",
+        "port": 22
+      }
+    ]
+  }
+```
+
 
 
 Integration

doc/management.md

@@ -0,0 +1,24 @@
+# SSH Management
+
+The default SSH hostkey is generated on first boot and is used in both
+SSH and NETCONF (SSH transport). Custom keys can be added to the
+configuration in `ietf-keystore`. The ony suuported hostkey type is
+RSA for now, so the private must be `ietf-crypto-types:rsa-private-key-format` and the public key
+`ietf-crypto-types:ssh-public-key-format`
+
+## Use your own SSH hostkeys
+
+Hostkeys can be generated with OpenSSL:
+```bash
+openssl genpkey -quiet -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM > mykey
+openssl rsa -RSAPublicKey_out < mykey > mykey.pyb
+```
+Store the keys in `ietf-keystore` _without_ the header and footer information
+created by OpenSSL.
+
+After the key has been stored in the keystore and given the name
+_mykey_ it can be added to SSH configuration:
+
+	admin@example:/> configure
+	admin@example:/config/> edit ssh
+	admin@example:/config/ssh/> set hostkey mykey

package/confd/confd.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CONFD_VERSION = 1.2
+CONFD_VERSION = 1.3
 CONFD_SITE_METHOD = local
 CONFD_SITE = $(BR2_EXTERNAL_INFIX_PATH)/src/confd
 CONFD_LICENSE = BSD-3-Clause

package/skeleton-init-finit/skeleton-init-finit.mk

@@ -146,15 +146,6 @@ endef
 SKELETON_INIT_FINIT_POST_INSTALL_TARGET_HOOKS += SKELETON_INIT_FINIT_SET_MINI_SNMPD
 endif
 
-# OpenSSH
-ifeq ($(BR2_PACKAGE_OPENSSH),y)
-define SKELETON_INIT_FINIT_SET_OPENSSH
-	cp $(SKELETON_INIT_FINIT_AVAILABLE)/sshd.conf $(FINIT_D)/available/
-	ln -sf ../available/sshd.conf $(FINIT_D)/enabled/sshd.conf
-endef
-SKELETON_INIT_FINIT_POST_INSTALL_TARGET_HOOKS += SKELETON_INIT_FINIT_SET_OPENSSH
-endif
-
 ifeq ($(BR2_PACKAGE_QUAGGA),y)
 define SKELETON_INIT_FINIT_SET_QUAGGA
 	cp $(SKELETON_INIT_FINIT_AVAILABLE)/quagga/zebra.conf $(FINIT_D)/available/

package/skeleton-init-finit/skeleton/etc/finit.d/available/sshd.conf

@@ -1,4 +1,2 @@
-task    <pid/syslogd> \
-	[S]       /usr/bin/ssh-hostkeys                        -- Verifying SSH host keys
-service <task/ssh-hostkeys/success> env:-/etc/default/sshd \
+service <pid/syslogd> env:-/etc/default/sshd \
 	[2345] /usr/sbin/sshd -D $SSHD_OPTS                    -- OpenSSH daemon

src/confd/configure.ac

@@ -1,6 +1,6 @@
 AC_PREREQ(2.61)
 # confd version is same as system YANG model version, step on breaking changes
-AC_INIT([confd], [1.2], [https://github.com/kernelkit/infix/issues])
+AC_INIT([confd], [1.3], [https://github.com/kernelkit/infix/issues])
 AM_INIT_AUTOMAKE(1.11 foreign subdir-objects)
 AM_SILENT_RULES(yes)
 
@@ -16,6 +16,7 @@ AC_CONFIG_FILES([
 	share/migrate/1.0/Makefile
 	share/migrate/1.1/Makefile
 	share/migrate/1.2/Makefile
+	share/migrate/1.3/Makefile
 	src/Makefile
 	yang/Makefile
 ])

src/confd/share/factory.d/10-infix-services.json

@@ -5,6 +5,22 @@
     "infix-services:mdns": {
 	"enabled": true
     },
+    "infix-services:ssh": {
+	"enabled": true,
+	"listen": [
+	    {
+		"name": "ipv4",
+		"address": "0.0.0.0",
+		"port": 22
+	    },
+	    {
+		"name": "ipv6",
+		"address": "::1",
+		"port": 22
+	    }
+	],
+	"hostkey": [ "genkey" ]
+    },
     "infix-services:web": {
 	"enabled": true,
 	"console": {

src/confd/share/failure.d/10-infix-services.json

@@ -10,5 +10,21 @@
 	"restconf": {
 	    "enabled": true
 	}
+    },
+    "infix-services:ssh": {
+	"enabled": true,
+	"listen": [
+	    {
+		"name": "ipv4",
+		"address": "0.0.0.0",
+		"port": 22
+	    },
+	    {
+		"name": "ipv6",
+		"address": "::1",
+		"port": 22
+	    }
+	],
+	"hostkey": [ "genkey" ]
     }
 }

src/confd/share/migrate/1.3/10-ssh-server.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+# SSH is now configurable, add default settings to configuration
+
+file=$1
+temp=${file}.tmp
+
+jq '.["infix-services:ssh"] = {
+      "enabled": true,
+      "hostkey": ["genkey"],
+      "listen": [
+        {"name": "ipv4", "address": "0.0.0.0", "port": 22},
+        {"name": "ipv6", "address": "::", "port": 22}
+      ]
+    }' "$file" > "$temp"
+
+mv "$temp" "$file"

src/confd/share/migrate/1.3/Makefile.am

@@ -0,0 +1,2 @@
+migratedir          = $(pkgdatadir)/migrate/1.3
+dist_migrate_DATA   = 10-ssh-server.sh

src/confd/share/migrate/Makefile.am

@@ -1,2 +1,2 @@
-SUBDIRS             = 1.0 1.1 1.2
+SUBDIRS             = 1.0 1.1 1.2 1.3
 migratedir          = $(pkgdatadir)/migrate

src/confd/share/test.d/10-infix-services.json

@@ -7,5 +7,21 @@
 		"restconf": {
 			"enabled": true
 		}
+    },
+    "infix-services:ssh": {
+	"enabled": true,
+	"listen": [
+	    {
+		"name": "ipv4",
+		"address": "0.0.0.0",
+		"port": 22
+	    },
+	    {
+		"name": "ipv6",
+		"address": "::",
+		"port": 22
+	    }
+	],
+	"hostkey": [ "genkey" ]
     }
 }