PiShrink icon indicating copy to clipboard operation
PiShrink copied to clipboard

Published 20 hours ago verified publisher icon Drewsif

Keep ssh config

Open yablacky opened this issue 3 years ago • 1 comments

The -p prepare option is very useful to reduce size of shrinked image. Unfortunately it removes ssh host keys after which it is not possible to connect to a running image with ssh.

Removing host keys renders the shrinked image incompatible compared to the original unshriked image. Host keys are not garbage and should not by default be removed like temp files, logs etc.

This pull request adds functionality to prepare without removing host keys. The existing option -p is changed and will no longer remove host keys. The new option -P prepares with removing host keys like -p did before.

yablacky avatar Sep 04 '20 15:09 yablacky

LGTM :+1:

framps avatar Sep 04 '20 18:09 framps

AFAIKT, the main use case for -P would be for images intended for distribution and/or "cloning" purposes, while -p would be used for "private" images (e.g backups) in which one wishes to maintain the identity of the machine after restoring.

In that case, maybe we should also remove /etc/machine-id when -P is used?

From the docs:

The machine ID is usually generated from a random source during system installation or first boot and stays constant for all subsequent boots.

(...) This ID uniquely identifies the host. It should be considered "confidential", and must not be exposed in untrusted environments, in particular on the network.

(...) For operating system images which are created once and used on multiple machines (...), /etc/machine-id should be either missing or an empty file in the generic file system image

Note this:

If /etc/machine-id does not exist, this is a first boot

(...) units with ConditionFirstBoot=yes will be run.

... so if ConditionFirstBoot=yes triggers generation of ssh host keys (I haven't checked), this would solve the issue of regenerating the host keys that affects the usage of -P (#224, #176, #51)

cpascual avatar Oct 20 '22 05:10 cpascual

if ConditionFirstBoot=yes triggers generation of ssh host keys

I just checked (I added echo "uninitialized" > $mountdir/etc/machine-id to the code of the -P option and it works fine to force a regeneration of the machine-id, but it does not trigger regeneration of the host keys.

cpascual avatar Oct 20 '22 11:10 cpascual

Im going to consider this out of scope. Any attempts to clean up images has resulted in unintended errors for users. See #256 for more details

Drewsif avatar Feb 14 '23 07:02 Drewsif