systemd: sshd: Disable ssh-keygen

The default _sshd.service_ unit runs `ssh-keygen -A` in `ExecStartPre`, to ensure host keys exist before starting the SSH daemon. Unfortunately, this tool does _not_ respect the `HostKey` settings in `sshd_config`, and unconditionally tries to create the key files in `/etc/ssh`. Since this directory is not writable, the command fails, preventing the SSH daemon from starting.
build-rootfs: Relocate misplaced PAM libs
2025-01-02 12:57:31 -06:00 · 2025-01-02 12:57:14 -06:00 · 2024-12-30 13:15:00 -06:00 · 2024-12-29 15:02:25 -06:00
3 changed files with 16 additions and 1 deletions
--- a/build-rootfs.sh
+++ b/build-rootfs.sh
@@ -76,11 +76,24 @@ if [ -f /mnt/gentoo/etc/udev/hwdb.bin ]; then
    mv /mnt/gentoo/etc/udev/hwdb.bin /mnt/gentoo/usr/lib/udev/
 fi
 gccver=$(qlist -I -F '%{PV}' cross-${target}/gcc | sed 's/[^0-9].*//')
 for lib in \
    libstdc++ \
    libgcc_s \
 ; do
    cp /usr/lib/gcc/${target}/${gccver}/${lib}.so.* /mnt/gentoo/usr/lib64/
 done
 qemu-${target%%-*} \
 /mnt/gentoo/usr/sbin/ldconfig \
    -r /mnt/gentoo \
    -f /mnt/gentoo/etc/ld.so.conf
 if [ -d /mnt/gentoo/lib64/security ]; then
    find /mnt/gentoo/lib64/security -name 'pam_*.so' \
        -exec mv -t /mnt/gentoo/lib/security {} +
 fi
 rm -f /mnt/gentoo/lib/tmpfiles.d/provision.conf
 systemd-tmpfiles --root=/mnt/gentoo -E --exclude-prefix=/var --create
--- a/overlay/usr/lib/systemd/sshd.service.d/no-keygen.conf
+++ b/overlay/usr/lib/systemd/sshd.service.d/no-keygen.conf
@@ -0,0 +1,2 @@
 [Service]
 ExecStartPre=
--- a/prepare.sh
+++ b/prepare.sh
@@ -42,7 +42,7 @@ if [ ! -f portage/make.conf/10-crossdev.conf ]; then
        > "${O}"/portage/etc/portage/make.conf/10-crossdev.conf
 fi
-FEATURES="${FEATURES}" \
+FEATURES="${FEATURES} -preserve-libs -protect-owned" \
 PKGDIR="${PKGDIR}" \
 ${target}-emerge -bk1nvj sys-libs/glibc
Author	SHA1	Message	Date
Dustin C. Hatch	b43e8319f4	systemd: sshd: Disable ssh-keygen The default _sshd.service_ unit runs `ssh-keygen -A` in `ExecStartPre`, to ensure host keys exist before starting the SSH daemon. Unfortunately, this tool does _not_ respect the `HostKey` settings in `sshd_config`, and unconditionally tries to create the key files in `/etc/ssh`. Since this directory is not writable, the command fails, preventing the SSH daemon from starting.	2025-01-02 12:57:31 -06:00
Dustin C. Hatch	f914df7866	build-rootfs: Relocate misplaced PAM libs Some packages, notably _systemd_, place their PAM modules in `/usr/lib64/security` instead of `/usr/lib/security`. PAM only seems to look in the latter location, though, so anything in the former needs to be moved in order to be used.	2025-01-02 12:57:14 -06:00
Dustin C. Hatch	5bce7dfab3	build-rootfs: Copy GCC libs to target Software written in C++ typically depends on `libstdc++.so.6` and `libgcc_s.so.1`. These library dependencies are implicit, as Gentoo expects GCC to be installed as part of the _@system_ set. Since that set does not get installed in the target root, anything that depends on those libraries will not function. Rather than install _sys-devel/gcc_ in the target environment to get those libraries, we can copy ones built by `crossdev` manually. This way, we do not end up with a full C compiler and development toolchain in the target environment, while still making the libraries available for applications that need them.	2024-12-30 13:15:00 -06:00
Dustin C. Hatch	c30da6a5ff	prepare: disable preserve-libs for glibc Since installing _sys-libs/glibc_ in the crossdev root overwrites the libraries built by crossdev, Portage records the latter as needing to be protected. This results in _everything_ being pulled in to @preserved-rebuild, which ultimately does nothing since the preserved library is never replaced. To avoid this pointlessness, we need to disable the _preserve-libs_ feature when reinstalling _glibc_. We also disable _protect-owned_ to avoid spam from Portage when initially overwriting the libraries and headers in the crossdev root.	2024-12-29 15:02:25 -06:00