[Pkg-raspi-maintainers] Generating ssh keys on first boot of the image

Michael Stapelberg stapelberg at debian.org
Mon Mar 27 06:25:40 UTC 2017


Thanks for the hint. I think it would make sense to fix this in
vmdebootstrap itself, because it isn’t a Raspberry Pi-specific issue.

On Fri, Mar 24, 2017 at 7:09 PM, Valentin Lorentz <progval at progval.net>
wrote:

> Hi,
>
> I could not check it because I do not have a serial console, but it
> looks like the preview image in
> https://people.debian.org/~stapelberg/raspberrypi3/2017-03-22/ contains
> SSH keys, and they are not generated on first boot.
> This means that all systems installed from this image will have the same
> private keys, which is highly insecure.
>
> I suggest that you generate SSH keys on first boot.
>
>
> I wrote a systemd service able to do that, which I successfully tested
> on regular Debian with only Raspbian's kernel (compiled from
> https://github.com/raspberrypi/linux in arm64 mode) in order to get HDMI
> output.
>
> To use it, you have to:
> * copy the attached .service file to /etc/systemd/system/
> * copy the attached rng-tools file to /etc/default/ (in order to use the
> Raspi's hardware random number generator),
> * add rng-tools to the list of packages installed by vmdebootstrap, and
> * run this command in customize-rpi3.sh:
>   chroot ${rootdir} systemctl enable regen-ssh-keys
>
> This last command is used to make the ssh server depend on this new
> service. For homogeneity with your current customize-rpi3.sh, you may
> want to use “ln -s” instead (or add
> RequiredBy=systemd-remount-fs.service your resizerootfs and use
> systemctl enable).
>
> Best regards,
> Valentin
>
> _______________________________________________
> Pkg-raspi-maintainers mailing list
> Pkg-raspi-maintainers at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-raspi-maintainers
>
>


-- 
Best regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-raspi-maintainers/attachments/20170327/243f8c3d/attachment.html>


More information about the Pkg-raspi-maintainers mailing list