[Pkg-raspi-maintainers] Generating ssh keys on first boot of the image

[Val Lorentz]

Oh, I forgot: customize-rpi3.sh also has to rm -f
$ROOTDIR/etc/ssh/ssh_host_*

On 24/03/2017 19:09, Valentin Lorentz wrote:
> Hi,
> 
> I could not check it because I do not have a serial console, but it
> looks like the preview image in
> https://people.debian.org/~stapelberg/raspberrypi3/2017-03-22/ contains
> SSH keys, and they are not generated on first boot.
> This means that all systems installed from this image will have the same
> private keys, which is highly insecure.
> 
> I suggest that you generate SSH keys on first boot.
> 
> 
> I wrote a systemd service able to do that, which I successfully tested
> on regular Debian with only Raspbian's kernel (compiled from
> https://github.com/raspberrypi/linux in arm64 mode) in order to get HDMI
> output.
> 
> To use it, you have to:
> * copy the attached .service file to /etc/systemd/system/
> * copy the attached rng-tools file to /etc/default/ (in order to use the
> Raspi's hardware random number generator),
> * add rng-tools to the list of packages installed by vmdebootstrap, and
> * run this command in customize-rpi3.sh:
>   chroot ${rootdir} systemctl enable regen-ssh-keys
> 
> This last command is used to make the ssh server depend on this new
> service. For homogeneity with your current customize-rpi3.sh, you may
> want to use “ln -s” instead (or add
> RequiredBy=systemd-remount-fs.service your resizerootfs and use
> systemctl enable).
> 
> Best regards,
> Valentin
> 
> 
> 
> _______________________________________________
> Pkg-raspi-maintainers mailing list
> Pkg-raspi-maintainers at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-raspi-maintainers
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-raspi-maintainers/attachments/20170324/5e1410b7/attachment.sig>