Store SSH host keys in /var/lib/ssh
For some reason, when OverlayFS is mounted at `/etc/ssh`, SELinux prevents access both `sshd` and `ssh-keygen` access to the files there. The AVC denials indicate that (some part of) the process is running in the `mount_t` domain, which is not allowed to read or write `sshd_key_t` files. To work around this issue, without granting `mount_t` overly-permissive access, we now configure the SSH daemon to read host keys from the persistent data volume directly, instead of "tricking" it with OverlayFS. The `ssh-keygen` tool does not read the `HostKey` options from `sshd_config`, though, so it has to be explicitly instructed to create keys in this alternate location. By using a systemd template unit with `ConditionPathExists`, we avoid regnerating the keys on every boot, since the `ssh-keygen` command is only run if the file does not already exist.master
parent
f2d6db5af1
commit
301589af22
|
|
@ -1,3 +1 @@
|
||||||
PARTLABEL=dch-data /var btrfs subvol=var,nosuid,noexec,nodev 0 2
|
PARTLABEL=dch-data /var btrfs subvol=var,nosuid,noexec,nodev 0 2
|
||||||
PARTLABEL=dch-data /run/etc btrfs subvol=etc,nosuid,noexec,nodev 0 0
|
|
||||||
overlay /etc/ssh overlay lowerdir=/etc/ssh,upperdir=/run/etc/rw/ssh,workdir=/run/etc/.work,x-systemd.requires=run-etc.mount 0 0
|
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,16 @@
|
||||||
|
PasswordAuthentication no
|
||||||
|
|
||||||
|
UsePAM yes
|
||||||
|
PrintMotd no
|
||||||
|
PrintLastLog no
|
||||||
|
|
||||||
|
Subsystem sftp /usr/lib64/misc/sftp-server
|
||||||
|
|
||||||
|
AcceptEnv LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
|
||||||
|
AcceptEnv COLORTERM
|
||||||
|
|
||||||
|
HostKey /var/lib/ssh/ssh_host_rsa_key
|
||||||
|
HostKey /var/lib/ssh/ssh_host_ecdsa_key
|
||||||
|
HostKey /var/lib/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
Include /etc/ssh/sshd_config.d/*.conf
|
||||||
|
|
@ -14,4 +14,4 @@ enable systemd-networkd.socket
|
||||||
disable getty@.service
|
disable getty@.service
|
||||||
|
|
||||||
enable sshd.socket
|
enable sshd.socket
|
||||||
enable ssh-keygen.service
|
enable ssh-keygen.target
|
||||||
|
|
|
||||||
|
|
@ -1,9 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=Generate SSH host keys
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
ExecStart=/usr/bin/ssh-keygen -A
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=sshd@.service
|
|
||||||
|
|
@ -0,0 +1,7 @@
|
||||||
|
[Unit]
|
||||||
|
Wants=ssh-keygen@rsa.service
|
||||||
|
Wants=ssh-keygen@ecdsa.service
|
||||||
|
Wants=ssh-keygen@ed25519.service
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
|
@ -0,0 +1,11 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Generate SSH %I host key
|
||||||
|
ConditionPathExists=!%S/ssh/ssh_host_%I_key
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
StateDirectory=ssh
|
||||||
|
ExecStart=/usr/bin/ssh-keygen -t %I -f %S/ssh/ssh_host_%I_key -N ''
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sshd-keygen.target
|
||||||
|
|
@ -1,2 +0,0 @@
|
||||||
[Unit]
|
|
||||||
After=ssh-keygen.service
|
|
||||||
|
|
@ -26,9 +26,6 @@ format_dev() {
|
||||||
mkfs.btrfs "${dev}" || exit
|
mkfs.btrfs "${dev}" || exit
|
||||||
|
|
||||||
mount "${dev}" "${tmpdir}" || exit
|
mount "${dev}" "${tmpdir}" || exit
|
||||||
btrfs subvolume create "${tmpdir}"/etc || exit
|
|
||||||
mkdir -p "${tmpdir}"/etc/.work "${tmpdir}"/etc/rw || exit
|
|
||||||
mkdir -p "${tmpdir}"/etc/rw/ssh
|
|
||||||
btrfs subvolume create "${tmpdir}"/var || exit
|
btrfs subvolume create "${tmpdir}"/var || exit
|
||||||
btrfs subvolume create "${tmpdir}"/var/log || exit
|
btrfs subvolume create "${tmpdir}"/var/log || exit
|
||||||
umount "${dev}" || exit
|
umount "${dev}" || exit
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue