cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor
Contributor
2,422 Views
Registered: ‎11-17-2014

Generating a persistent ssh key

Hi,

 

I'm using Petalinux 2017.2  on a custom Zynq board and I noticed when running Petalinux that the OS generates a new SSH key set every time at start up this takes up a large amount of time and we're looking to speed up our start up time. Does anyone have a recipe or a script to generate a key one time and have it persist in a file system so the OS isn't generating new keys every time it starts up?

 

Thanks.

0 Kudos
5 Replies
Highlighted
Scholar
Scholar
2,408 Views
Registered: ‎05-28-2013

Re: Generating a persistent ssh key

By default, Petalinux boots into a ramdisk. This is good for beginners since it "resets" back to sane state each time you reboot. It is also easy to upgrade, since you can just replace the whole ramdisk image, then reboot. But the drawback, as you have noticed, is that nothing is persistent - including your SSH keys.

 

There are a variety of ways this can be addressed. In no particular order:

 

- you can generate a SSH keypair once, and incorporate it into the ramdisk (initrd/initramfs). That way it will not be generated each time you boot up. The downside of course is that you will be using the same keypair on every board... this is bad security practice, as the private key should be kept private...

 

- you can store the SSH key on non-volatile storage. This could he QSPI, SD card, or some other medium - depends what you have available on your hardware. You'd want to copy it from there into the ramdisk, prior to starting the SSH daemon. This means modifying the boot-up scripts and re-generating the ramdisk (initrd/initramfs).

 

- you can change from booting into a ramdisk/initramfs, and instead use a filesystem such as JFFS2 or UBIFS directly on your flash device. It's also possible to boot from SD card if you format it with a Unix filesystem such as ext2/3/4. In any case, changes made to the filesystem now become permanent.

 

The issue of permanent storage comes up quite frequently on this forum.

0 Kudos
Highlighted
Contributor
Contributor
2,393 Views
Registered: ‎11-17-2014

Re: Generating a persistent ssh key


@rfs613 wrote:

 

 

- you can store the SSH key on non-volatile storage. This could he QSPI, SD card, or some other medium - depends what you have available on your hardware. You'd want to copy it from there into the ramdisk, prior to starting the SSH daemon. This means modifying the boot-up scripts and re-generating the ramdisk (initrd/initramfs).

 


 

The solution you are suggesting sounds similar to a solution we used on a different OS:

We used to use QNX on the same board. We had a workaround to this issue where we would symbolically link a folder from a mounted file system in the QSPI that contained keys that were generated when the OS was booted the first time. All future boots would just generate this symbolic link and the key persisted. This workaround was easy to implement since all you had to do was add a couple lines to a build file.

 

Would it be possible to create a similar solution/recipe in Petalinux? We currently use QSPI to hold everything including a writable JFFS2 file system. Anyway you can point me to an example or tutorial on how to modify the boot-up scripts and regenerating the ramdisk or creating a link similar to the workaround we did to QNX? 

0 Kudos
Highlighted
Explorer
Explorer
2,373 Views
Registered: ‎03-22-2016

Re: Generating a persistent ssh key

This might help with what you're trying to do:

 

https://forums.xilinx.com/t5/Embedded-Linux/Not-able-to-config-IP-and-other-configuations-over-Linux-OS-boot/m-p/830704#M24220

You can modify the "load-config" script to mount the jffs filesystem and create symlinks. Because this script happens so early in the boot process, I believe that if you were to delete the /etc/dropbear directory and make it a symlink to a directory in your JFFS filesystem, dropbear would automatically look for an existing key and generate one if it doesn't find one. I've not tested that portion, but if you look at /etc/init.d/dropbear, you can figure out what it's doing on startup.

0 Kudos
Observer
Observer
409 Views
Registered: ‎07-17-2019

Re: Generating a persistent ssh key

"- you can store the SSH key on non-volatile storage. This could he QSPI, SD card, or some other medium - depends what you have available on your hardware. You'd want to copy it from there into the ramdisk, prior to starting the SSH daemon. This means modifying the boot-up scripts and re-generating the ramdisk (initrd/initramfs)."

Is there a guide or other forum post describing how to modify the boot-up scripts and regenerate the ramdisk?

0 Kudos
Highlighted
Xilinx Employee
Xilinx Employee
363 Views
Registered: ‎05-15-2018

Re: Generating a persistent ssh key

Hi @jamesickes ,

Here is some background information and methodology on how to store SSH keys on persistent storage, and modify init scripts such that the petalinux image does not generate a new key on each boot:

This sequence of steps describes how to use the flash MTD partition for persistent storage. The use case being considered is to load a previously generated
RSA key and prevent dropbear from generating a new one (the dropbear init script needs to be modified for doing this).
The Dropbear SSH server is included by default in Petalinux, and is built automatically into the rootfs.
Upon boot up, the dropbear init script (named dropbear) is placed and executes from the /etc/init.d directory.
This script has a function gen_keys(), which is responsible for generating the RSA key. If a key already exists at /etc/dropbear, the gen_keys()
function first deletes this key, and then generates a new one. Although not recommended by Xilinx officially, there might be some use cases
where this functionality is not desired (for example, when a user wants to avoid having new keys generated upon reboot, and instead loads them
from persistent storage). In such cases, a custom recipe named 'dropbear' can be added to the Petalinux project, with a custom init script that suppresses
the call to gen_keys(). When the image is built and run from the board, the new dropbear init script will run and not create new keys at /etc/dropbear.
The user can then copy over a previously generated key into this location from persistent storage.

This methodology can be dvivded into two parts:
1. Generate a RSA key (on the board or laptop) and store it in the persistent storage (QSPI Flash) on the board
2. Boot up with the modified dropbear init script, mount the QSPI Flash device on a JFFS partition, and copy over the previously stored key into /etc/dropbear

Part 1:

1. Build a normal Petalinux project and use those images to boot into the board. Default kernel config settings should include ZynqMP GQSPI as well as MTD block device support.
2. From the Linux terminal, issue dmesg | grep spi and verify that four MTD partitions were created. Follow this by cat /proc/mtd to view the partitions. We will use the 'spare' MTD partition /dev/mtd3 for persistent storage.
3. Erase /dev/mtd3 partition using flash_eraseall -j /dev/mtd3
4. Create a mount point for the flash partition: mkdir /mnt/flash_mtd3
5. Mount flash partition as JFFS2 file system: mount -t jffs2 /dev/mtdblock3 /mnt/flash_mtd3 (Note that /dev/mtdblock3 is used rather than /dev/mtd3)
6. Copy Dropbear RSA key to flash partition: cp /etc/dropbear/dropbear_rsa_host_key /mnt/flash_mtd3
7. Verify the copied key exists on the flash partition: ls /mnt/flash_mtd3
8. Unmount flash partition: umount /mnt/flash_mtd3
9. The Dropbear RSA key now resides in the persistent flash storage and can be accessed on successive boots
10. The existing Dropbear init script can be modified and used in Part 2. Copy the script (/etc/init.d/dropbear) over to your host machine.

Part 2:

1. Go back to your Petalinux project, and add a folder named 'dropbear' to <plnx_proj_root>/project-spec/meta-user/recipes-core/. Within this folder, build the following structure:
├── dropbear
│      ├── dropbear_%.bbappend
│      └── files
│              └── dropbear
2. The dropbear init script in the 'files' folder above is the one you have copied over from Part 1, and modified by removing the call to gen_keys().
3. Create dropbear_%.bbappend as follows:

# The dropbear_%.bbappend looks like this:
# Dropbear: suppress gen_keys.

SRC_URI += " \
file://dropbear \
"
FILESEXTRAPATHS_prepend := "${THISDIR}/files:"

# Overwrite the dropbear configuration with my configuration.
do_install_append(){
install -m 0755 ${WORKDIR}/dropbear ${D}${sysconfdir}/init.d/dropbear
}


4. Add the line SIGGEN_UNLOCKED_RECIPES += "dropbear" to <plnx_proj_root>/project-spec/meta-user/conf/petalinuxbsp.conf
5. Clean the Petalinux project and re-build: petalinux-build -x mrproper and petalinux-build
6. Boot with the generated images. Observe that the key generation message is not displayed, and no key will exist at /etc/dropbear
7. Mount flash partition containing original key: mount -t jffs2 /dev/mtdblock3 /mnt/flash_mtd3
8. Copy key into default location: cp /mnt/flash_mtd3/dropbear_rsa_host_key /etc/dropbear

Hope that helps.

Best,

Shiril

---------------------------------------------------------------------------
Don’t forget to Reply, Kudo, and Accept as Solution.
---------------------------------------------------------------------------