[Pkg-raspi-maintainers] Generating ssh keys on first boot of the image

Valentin Lorentz progval at progval.net
Fri Mar 24 18:09:20 UTC 2017 

Hi,

I could not check it because I do not have a serial console, but it
looks like the preview image in
https://people.debian.org/~stapelberg/raspberrypi3/2017-03-22/ contains
SSH keys, and they are not generated on first boot.
This means that all systems installed from this image will have the same
private keys, which is highly insecure.

I suggest that you generate SSH keys on first boot.


I wrote a systemd service able to do that, which I successfully tested
on regular Debian with only Raspbian's kernel (compiled from
https://github.com/raspberrypi/linux in arm64 mode) in order to get HDMI
output.

To use it, you have to:
* copy the attached .service file to /etc/systemd/system/
* copy the attached rng-tools file to /etc/default/ (in order to use the
Raspi's hardware random number generator),
* add rng-tools to the list of packages installed by vmdebootstrap, and
* run this command in customize-rpi3.sh:
  chroot ${rootdir} systemctl enable regen-ssh-keys

This last command is used to make the ssh server depend on this new
service. For homogeneity with your current customize-rpi3.sh, you may
want to use “ln -s” instead (or add
RequiredBy=systemd-remount-fs.service your resizerootfs and use
systemctl enable).

Best regards,
Valentin
-------------- next part --------------
[Unit]
Description=OpenSSH Server Key Generation

# Do not run if keys already exist
ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key

# This service requires rng-tools to feed the random number generator,
# otherwise we may generate predictable keys without noticing it.
Requires=rng-tools.service
After=rng-tools.service

# sshd needs this service to be run and finished before starting
PartOf=ssh.service ssh.socket
Before=ssh.service ssh.socket

[Install]
# sshd needs this service to be run and finished before starting
WantedBy=ssh.service ssh.socket

[Service]
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/bin/ssh-keygen -A
Type=oneshot
RemainAfterExit=yes
-------------- next part --------------
HRNGDEVICE=/dev/hwrng
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-raspi-maintainers/attachments/20170324/d4513c92/attachment.sig>

More information about the Pkg-raspi-maintainers mailing list