Store SSH host keys in /var/lib/ssh

For some reason, when OverlayFS is mounted at `/etc/ssh`, SELinux prevents access both `sshd` and `ssh-keygen` access to the files there. The AVC denials indicate that (some part of) the process is running in the `mount_t` domain, which is not allowed to read or write `sshd_key_t` files. To work around this issue, without granting `mount_t` overly-permissive access, we now configure the SSH daemon to read host keys from the persistent data volume directly, instead of "tricking" it with OverlayFS. The `ssh-keygen` tool does not read the `HostKey` options from `sshd_config`, though, so it has to be explicitly instructed to create keys in this alternate location. By using a systemd template unit with `ConditionPathExists`, we avoid regnerating the keys on every boot, since the `ssh-keygen` command is only run if the file does not already exist.
2023-03-06 14:53:08 -06:00
parent f2d6db5af1
commit 301589af22
8 changed files with 35 additions and 17 deletions
--- a/overlay/usr/libexec/init-storage
+++ b/overlay/usr/libexec/init-storage
@@ -26,9 +26,6 @@ format_dev() {
    mkfs.btrfs "${dev}" || exit

    mount "${dev}" "${tmpdir}" || exit
-    btrfs subvolume create "${tmpdir}"/etc || exit
-    mkdir -p "${tmpdir}"/etc/.work "${tmpdir}"/etc/rw || exit
-    mkdir -p "${tmpdir}"/etc/rw/ssh
    btrfs subvolume create "${tmpdir}"/var || exit
    btrfs subvolume create "${tmpdir}"/var/log || exit
    umount "${dev}" || exit