[opensuse-autoinstall] ssh_host-keys are preserved by autoinstallation despite formating the disk
Hello, I find out a special behaviour of autoyast under LEAP 42.1 concerning ssh-keys. It seems that ssh-keys in /etc/ssh are preserved from the old existing system, even if I recreate and reformat the disk . Is it true that such a feature exists and why? Are there other configurations which are preserved? Our constallation of several workstations is : Leap 42.1 Kernel : 4.1.34-33-default This misfunction got apparent , when we exchanged the disks of two clients because of different needed disp space for the two users . After a complete new installation by autoyast we reached that client 1 got the ssh-keys of client 2 in /etc/ssh and vice versa. I debugged it and i see the inverted files in chroot-scripts.log even before my post.sh -Script was mounted from Installserver and executed. I do not explicitly generate ssh-keys in my post.sh. After installation has completed , there is a new ssh_host_ed25519_key added . So i think it is not my mistake. zam221:/var/adm/autoinstall/logs # cat chroot-scripts.log + ls -lsai /etc/ssh total 292 523490 4 drwxr-xr-x 2 root root 4096 Nov 30 12:11 . 523265 12 drwxr-xr-x 146 root root 12288 Nov 30 12:14 .. 523471 4 -rw-r--r-- 1 root root 2375 Sep 9 16:10 ldap.conf 523720 228 -rw------- 1 root root 231821 Sep 9 16:10 moduli 524087 4 -rw-r--r-- 1 root root 2996 Sep 9 16:10 ssh_config 524085 8 -rw-r----- 1 root root 4530 Sep 9 16:10 sshd_config 541861 4 -rw------- 1 root root 668 Jul 26 14:25 ssh_host_dsa_key 541862 4 -rw-r--r-- 1 root root 602 Jul 26 14:25 ssh_host_dsa_key.pub 541865 4 -rw------- 1 root root 227 Jul 26 14:25 ssh_host_ecdsa_key 541866 4 -rw-r--r-- 1 root root 174 Jul 26 14:25 ssh_host_ecdsa_key.pub 541859 4 -rw------- 1 root root 977 Jul 26 14:25 ssh_host_key 541860 4 -rw-r--r-- 1 root root 642 Jul 26 14:25 ssh_host_key.pub 541863 4 -rw------- 1 root root 1675 Jul 26 14:25 ssh_host_rsa_key 541864 4 -rw-r--r-- 1 root root 394 Jul 26 14:25 ssh_host_rsa_key.pub + cat /etc/ssh/ssh_host_rsa_key.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwGkPV58BpMCK2/M3jsIjEy9UD7g/J2BAOBqMj6v3 g6E/w4YQ+1zmS1OKt9hILDOEK7V1vYgybaPSgQ20JzTyJo0rlw2bpnPp7zMTmYEBblkDAvJbWrsQ64hrR 5DNy1Wv8sxVGkVOyx+rGSXgRABsNstQJCz945ysITBKcexLK+aEIAY7PvOdQdHnOFwzABSUNdZXjQrMeFN6b KtloPPbnma+zUOyWPmBIbcqfzobgG6bUeF0tvjRVLyWh7cNTimsMZQKIoNNWcxLG8sS7fWWErTvvnGa+SHItTf e1HoCWJWN+yuw9vqre0xl6hkxwiEIlLpe772FxFvPuQDu9VePN root@zam1188 After Installation: zam221: ls -lsai /etc/ssh total 312 523490 4 drwxr-xr-x 2 root root 4096 Nov 30 12:14 . 523265 12 drwxr-xr-x 177 root root 12288 Dec 1 07:20 .. 523471 4 -rw-r--r-- 1 root root 2375 Sep 9 16:10 ldap.conf 523720 228 -rw------- 1 root root 231821 Sep 9 16:10 moduli 524087 4 -rw-r--r-- 1 root root 3630 Apr 14 2014 ssh_config 541907 4 -rw-r--r-- 1 root root 2996 Sep 9 16:10 ssh_config.install 541861 4 -rw------- 1 root root 668 Jul 26 14:25 ssh_host_dsa_key 541862 4 -rw-r--r-- 1 root root 602 Jul 26 14:25 ssh_host_dsa_key.pub 541865 4 -rw------- 1 root root 227 Jul 26 14:25 ssh_host_ecdsa_key 541866 4 -rw-r--r-- 1 root root 174 Jul 26 14:25 ssh_host_ecdsa_key.pub 541923 4 -rw------- 1 root root 399 Nov 30 12:14 ssh_host_ed25519_key 541924 4 -rw-r--r-- 1 root root 93 Nov 30 12:14 ssh_host_ed25519_key.pub 541859 4 -rw------- 1 root root 977 Jul 26 14:25 ssh_host_key 541860 4 -rw-r--r-- 1 root root 642 Jul 26 14:25 ssh_host_key.pub 541863 4 -rw------- 1 root root 1675 Jul 26 14:25 ssh_host_rsa_key 541864 4 -rw-r--r-- 1 root root 394 Jul 26 14:25 ssh_host_rsa_key.pub 541926 0 lrwxrwxrwx 1 root root 20 Nov 30 12:14 ssh_known_hosts -> /etc/ssh_known_hosts 524085 8 -rw-r----- 1 root root 4607 Jun 1 2015 sshd_config 541908 8 -rw-r----- 1 root root 4530 Sep 9 16:10 sshd_config.install Can anybody explain to me ? Thanks in advance Kindly regards +-----------------------------------------------------------+ | Marianne Frerichs | | Juelich Supercomputing Centre (JSC) | | Institute for Advanced Simulation (IAS) | | Forschungszentrum Juelich GmbH | | Email: M.Frerichs@fz-juelich.de | +-----------------------------------------------------------+ ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-autoinstall+owner@opensuse.org
On Thu, Dec 01, 2016 at 12:07:07PM +0100, m.frerichs wrote:
It seems that ssh-keys in /etc/ssh are preserved from the old existing system, even if I recreate and reformat the disk . Is it true that such a feature exists and why? Are there other configurations which are preserved?
Wow.. this should be configurable, but I've wanted something like this for years. We tend to re-image our hosts for upgrades or other reasons more than most likely do (we're using SLE though) and I had coded some stuff to do this year ago using a pre-install, ramdisk and then find/copy over during pre, find/copy back during chroot. Was never 100% though. -- Mike Marion-Unix SysAdmin/Sr. Staff IT Engineer-http://www.qualcomm.com Homer: "Oh Lisa, I'm sorry, I tried my best. I know it's hard when you discover your dad isn't perfect." Bart: "Not perfect?!? You can say that again!" Homer: "I'm trying to be a sensitive father you unwanted moron!" => Simpsons-- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-autoinstall+owner@opensuse.org
On Dec 1, 2016, at 2:00 PM, Marion, Mike <mmarion@qualcomm.com> wrote:
On Thu, Dec 01, 2016 at 12:07:07PM +0100, m.frerichs wrote:
It seems that ssh-keys in /etc/ssh are preserved from the old existing system, even if I recreate and reformat the disk . Is it true that such a feature exists and why? Are there other configurations which are preserved?
Wow.. this should be configurable, but I've wanted something like this for years. We tend to re-image our hosts for upgrades or other reasons more than most likely do (we're using SLE though) and I had coded some stuff to do this year ago using a pre-install, ramdisk and then find/copy over during pre, find/copy back during chroot. I agree that it is a useful feature, and I find it quite handy to keep the same ssh keys after reinstalling (especially when testing AutoYaST profiles), although it could be unexpected, especially if you were repurposing hardware.
It is configurable via AutoYaST: https://doc.opensuse.org/projects/autoyast/#CreateProfile.SSHKeysAndConfig If not configured, it defaults to copying the host keys. Looking at a y2log from a recently-installed VM, it seems that this setting screen could be shown by the installer, but is hidden by default: 2016-12-05 16:39:02 <1> install(3162) [Ruby] modules/ProductControl.rb:1025 Proposal modules: [$["name":"bootloader", "presentation_order":"20"], $["name":"hwinfo", "presentation_order":"80"], $["name":"software", "presentation_order":"30"], $["name":"default_target", "presentation_order":"70"], $["name":"firewall_stage1", "presentation_order":"95"], $["name":"ssh_import", "presentation_order":"97"], $["name":"clone", "presentation_order":"99"]] 2016-12-05 16:39:02 <1> install(3162) [Ruby] modules/ProductControl.rb:1083 Proposal module ssh_import found among disabled subproposals Maybe a verbose install would show it? (I’d have to RTFM myself there…probably a bootloader cmdline option?) Not sure when this setting first appeared — it’s also in the SLE 12 autoyast docs, but not the SLE 11 ones. The copy-keys feature has been around for a long time, at least since the 10.x days. -AndrewN�����r��y隊Z)z{.�殶���֥�맲��r��z�^�ˬz��N�(�֜��^� ޭ隊Z)z{.�殶���֥��0�����Ǩ�
participants (3)
-
Andrew Daugherity
-
m.frerichs
-
Marion, Mike