[Pkg-raspi-maintainers] Generating ssh keys on first boot of the image

Valentin Lorentz progval at progval.net
Fri Mar 24 18:09:20 UTC 2017


I could not check it because I do not have a serial console, but it
looks like the preview image in
https://people.debian.org/~stapelberg/raspberrypi3/2017-03-22/ contains
SSH keys, and they are not generated on first boot.
This means that all systems installed from this image will have the same
private keys, which is highly insecure.

I suggest that you generate SSH keys on first boot.

I wrote a systemd service able to do that, which I successfully tested
on regular Debian with only Raspbian's kernel (compiled from
https://github.com/raspberrypi/linux in arm64 mode) in order to get HDMI

To use it, you have to:
* copy the attached .service file to /etc/systemd/system/
* copy the attached rng-tools file to /etc/default/ (in order to use the
Raspi's hardware random number generator),
* add rng-tools to the list of packages installed by vmdebootstrap, and
* run this command in customize-rpi3.sh:
  chroot ${rootdir} systemctl enable regen-ssh-keys

This last command is used to make the ssh server depend on this new
service. For homogeneity with your current customize-rpi3.sh, you may
want to use “ln -s” instead (or add
RequiredBy=systemd-remount-fs.service your resizerootfs and use
systemctl enable).

Best regards,
-------------- next part --------------
Description=OpenSSH Server Key Generation

# Do not run if keys already exist

# This service requires rng-tools to feed the random number generator,
# otherwise we may generate predictable keys without noticing it.

# sshd needs this service to be run and finished before starting
PartOf=ssh.service ssh.socket
Before=ssh.service ssh.socket

# sshd needs this service to be run and finished before starting
WantedBy=ssh.service ssh.socket

ExecStart=/usr/bin/ssh-keygen -A
-------------- next part --------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-raspi-maintainers/attachments/20170324/d4513c92/attachment.sig>

More information about the Pkg-raspi-maintainers mailing list