You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The main systems ssh keys should not be exposed (thats the whole point in encrypting the root partition). A way to acomplish this should at least be documented. Maybe it should even be the default beahviour.
To currently do this you need to:
uninstall tinyssh-convert if already installed
remove /etc/tinyssh/sshkeydir/ if already existing
run tinysshd-makekey /etc/tinyssh/sshkeydir/ to generate unique keys
change tinysshd ssh port so ssh doesn't complain about changed host key. so create /etc/systemd/system/initrd-tinysshd.service.d/override.conf
containing:
[Service]Environment=SSHD_PORT=1234
regenerate init image, mkinitcpio will complain about tinyssh-convert not exsiting but thats exacly what we want here
to unlock now remeber to use the changed port ssh -p 1234 root@server
The error message when generating the image should be removed or at least changed to a warning.
I think the most elegant solution would be to put the conversion into a seperate service and maybe provide a file in config for the port.
The text was updated successfully, but these errors were encountered:
you are welcome to send a PR for a new unit,
to be named, say initrd-tinysshd-secure.service,
which can rely on new support functions (keys re-gen, key cleanup, etc)
to be stored initrd-build.sh
I think that the conversion should not be done automatically at all. This should be an user choice from the start, and also there is no point in running the conversion at each initramfs generation.
The main systems ssh keys should not be exposed (thats the whole point in encrypting the root partition). A way to acomplish this should at least be documented. Maybe it should even be the default beahviour.
To currently do this you need to:
/etc/tinyssh/sshkeydir/
if already existingtinysshd-makekey /etc/tinyssh/sshkeydir/
to generate unique keys/etc/systemd/system/initrd-tinysshd.service.d/override.conf
containing:
tinyssh-convert
not exsiting but thats exacly what we want heressh -p 1234 root@server
The error message when generating the image should be removed or at least changed to a warning.
I think the most elegant solution would be to put the conversion into a seperate service and maybe provide a file in config for the port.
The text was updated successfully, but these errors were encountered: