Bug#491263: network-console, etch netinst, openssh

To: 491263@bugs.debian.org
Cc: debian-release@lists.debian.org, openssh@packages.debian.org
Subject: Bug#491263: network-console, etch netinst, openssh
From: Joey Hess <joeyh@debian.org>
Date: Mon, 21 Jul 2008 08:19:53 -0400
Message-id: <[🔎] 20080721121953.GA30598@kodama.kitenet.net>
Mail-followup-to: 491263@bugs.debian.org, debian-release@lists.debian.org, openssh@packages.debian.org
Reply-to: Joey Hess <joeyh@debian.org>, 491263@bugs.debian.org
In-reply-to: <[🔎] 200807180745.45121.elendil@planet.nl>
References: <[🔎] 20080718044626.GC4173@eriador.mirkwood.net> <[🔎] 200807180745.45121.elendil@planet.nl>

Perhaps we should issue a special DSA about openssh fixes in d-i
once the next point release is available? In particular, anyone
using d-i with network-console needs to make sure to update their
installation media / netboot files.


Also, network-console's copying of the ssh_host_rsa_key in
finish-install looks like it was a bad choice, because it doesn't allow
ssh to overrule the key. For lenny, it would be better if it used a
base-installer hook to install the keys before ssh got installed.

ssh's postinst will behave sanely if host keys are already present when
it's first installed: It will not overwrite them, and will check that
they're strong and prompt with debconf about overwriting them. 

So, untested:

Index: debian/changelog
===================================================================
--- debian/changelog	(revision 54461)
+++ debian/changelog	(working copy)
@@ -1,8 +1,13 @@
 network-console (1.18) UNRELEASED; urgency=low
 
+  [ Martin Michlmayr ]
   * Change the health LED to solid blue on the HP mv2120 to indicate
     when the installer is ready for ssh connections.
 
+  [ Joey Hess ]
+  * Install ssh keys before ssh is installed, to allow it to check them for
+    weakness.
+
  -- Martin Michlmayr <tbm@cyrius.com>  Mon, 14 Jul 2008 22:46:28 +0300
 
 network-console (1.17) unstable; urgency=low
Index: finish-install
===================================================================
--- finish-install	(revision 54461)
+++ finish-install	(working copy)
@@ -1,8 +0,0 @@
-#!/bin/sh
-set -e
-
-DIR=/etc/ssh/
-
-[ -d /target/$DIR ] || exit 0
-
-cp $DIR/ssh_host_rsa_key* /target/$DIR
Index: post-base-installer
===================================================================
--- post-base-installer	(revision 0)
+++ post-base-installer	(revision 0)
@@ -0,0 +1,7 @@
+#!/bin/sh
+set -e
+
+DIR=/etc/ssh/
+
+mkdir -p /target/$DIR
+cp $DIR/ssh_host_rsa_key* /target/$DIR

Property changes on: post-base-installer
___________________________________________________________________
Added: svn:executable
   + *

Index: Makefile
===================================================================
--- Makefile	(revision 54461)
+++ Makefile	(working copy)
@@ -9,8 +9,8 @@
 	install -m755 gen-crypt network-console network-console-menu $(DESTDIR)/bin
 	install -d $(DESTDIR)/etc/ssh
 	install -m644 sshd_config $(DESTDIR)/etc/ssh
-	install -d $(DESTDIR)/usr/lib/finish-install.d/
-	install -m755 finish-install $(DESTDIR)/usr/lib/finish-install.d/80network-console
+	install -d $(DESTDIR)/usr/lib/post-base-installer.d/
+	install -m755 post-base-installer $(DESTDIR)/usr/lib/post-base-installer.d/80network-console
 
 clean:
 	rm -f gen-crypt

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Bug#491263: network-console, etch netinst, openssh
  - From: Mike Edwards <pf-debian-bugs@mirkwood.net>
- Bug#491263: network-console, etch netinst, openssh
  - From: Frans Pop <elendil@planet.nl>

Prev by Date: string change
Next by Date: Bug#491712: installation-reports: HP lenovo R61i laptop
Previous by thread: Bug#491263: network-console, etch netinst, openssh
Next by thread: Bug#491263: marked as done (network-console, etch netinst, openssh)
Index(es):
- Date
- Thread