Project

General

Profile

Actions

Feature #12809

closed

Recover existing SSH keys during installation

Added by Jim Pingle over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Very Low
Assignee:
Category:
Installer
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default

Description

It would be nice if the installer had a way to recover the SSH host keys off the drive the same way it handles the "Recover config.xml" option. This would make reinstalls even easier.

It may make the most sense to combine the two actions so they both happen at once (e.g. "Recover config.xml and SSH keys") though a second separate option could also work.

Actions #2

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
  • Target version changed from Future to 2.7.0
  • Plus Target Version set to 22.05
Actions #3

Updated by Viktor Gurov over 2 years ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Jim Pingle over 2 years ago

  • Status changed from Feedback to New

This is giving an error when it tries to process the keys. When run with sh -x, it shows:

+ [ -s {/tmp/mnt_recovery}/etc/ssh/ssh_host{rsa ed25519}_key -a -s {/tmp/mnt_recovery}/etc/ssh/ssh_host{rsa ed25519}_key.pub ]
[: {/tmp/mnt_recovery}/etc/ssh/ssh_host{rsa: unexpected operator

Looking at the code, this line:

for keytype in "rsa ed25519"; do

Shouldn't have quotes around the items to iterate. It should be:

for keytype in rsa ed25519; do

That error is repeated in both the recover_configxml.sh script and also in the corresponding installer code in the src repo (usr.sbin/bsdinstall/scripts/auto).

Additionally, even when fixing that, the etc dir is not present. When importing the pfSense pool it isn't mounting pfSense/ROOT/default so it doesn't have a lot of the content such as /etc/, so it can't find the SSH keys to copy.

Actions #6

Updated by Viktor Gurov over 2 years ago

Jim Pingle wrote in #note-5:

This is giving an error when it tries to process the keys. When run with sh -x, it shows:

[...]

Looking at the code, this line:
[...]

Shouldn't have quotes around the items to iterate. It should be:
[...]

That error is repeated in both the recover_configxml.sh script and also in the corresponding installer code in the src repo (usr.sbin/bsdinstall/scripts/auto).

Additionally, even when fixing that, the etc dir is not present. When importing the pfSense pool it isn't mounting pfSense/ROOT/default so it doesn't have a lot of the content such as /etc/, so it can't find the SSH keys to copy.

As I understand recover_configxml.sh mounts all pool datasets -
https://github.com/pfsense/pfsense/blob/master/tools/installer/recover_configxml.sh#L95:

/sbin/zpool import -R ${recovery_mount} -f pfSense

There is no code to zpool/zfs/mount pfSense/cf/conf dataset

recover_configxml.sh fix: https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/689
usr.sbin/bsdinstall/scripts/auto fix: https://gitlab.netgate.com/pfSense/FreeBSD-src/-/merge_requests/67

Actions #7

Updated by Jim Pingle over 2 years ago

Viktor Gurov wrote in #note-6:

Additionally, even when fixing that, the etc dir is not present. When importing the pfSense pool it isn't mounting pfSense/ROOT/default so it doesn't have a lot of the content such as /etc/, so it can't find the SSH keys to copy.

As I understand recover_configxml.sh mounts all pool datasets -
https://github.com/pfsense/pfsense/blob/master/tools/installer/recover_configxml.sh#L95:
[...]
There is no code to zpool/zfs/mount pfSense/cf/conf dataset

recover_configxml.sh fix: https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/689
usr.sbin/bsdinstall/scripts/auto fix: https://gitlab.netgate.com/pfSense/FreeBSD-src/-/merge_requests/65

In theory what it's doing should work, perhaps, but it does not work in practice. Try the command from a rescue shell in the installer (drop to a shell from the first menu that prompts for install or recovery). It mounts some, but not all, of the datasets. The pfSense/ROOT/default dataset is one that is missing, and it contains /etc from the installation. Do a find on all mounted partitions, the keys are not present on any mount point. If you manually do something like /sbin/mount -t zfs pfSense/ROOT/default /mnt/<somewhere> then it's present.

Actions #8

Updated by Christian McDonald over 2 years ago

With the changes to the ZFS layout to support Boot Environments, it is now required to determine the dataset path programmatically instead of assuming it's 'pfSense/ROOT/default'. I've pointed Viktor to some utility functions that are useful for this.

Actions #9

Updated by Jim Pingle over 2 years ago

  • Assignee changed from Viktor Gurov to Jim Pingle

I'll fix the recover_configxml.sh part up. I have some code I'm testing now.

Actions #10

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Feedback
Actions #12

Updated by Jim Pingle over 2 years ago

  • Status changed from Feedback to In Progress

The recover_configxml.sh part is working, I see the console message that it recovered the SSH keys. However, they are still not present after the install finishes.

Probably some part of the FS is not mounted right at the end of the auto script part.

Actions #13

Updated by Jim Pingle over 2 years ago

  • Status changed from In Progress to Feedback
Actions #14

Updated by Jim Pingle over 2 years ago

  • Status changed from Feedback to Resolved

Works great on the latest snapshot

Actions #15

Updated by Jim Pingle over 2 years ago

  • Subject changed from Recover SSH Keys option in the installer to Recover existing SSH keys during installation

Updating subject for release notes.

Actions

Also available in: Atom PDF