Feature #12809
closed
Recover existing SSH keys during installation
100%
Description
It would be nice if the installer had a way to recover the SSH host keys off the drive the same way it handles the "Recover config.xml" option. This would make reinstalls even easier.
It may make the most sense to combine the two actions so they both happen at once (e.g. "Recover config.xml and SSH keys") though a second separate option could also work.
Updated by Viktor Gurov about 2 years ago
Updated by Jim Pingle about 2 years ago
- Status changed from New to Pull Request Review
- Assignee set to Viktor Gurov
- Target version changed from Future to 2.7.0
- Plus Target Version set to 22.05
Updated by Viktor Gurov about 2 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset 4ebb9c8d9f9799cb82593bed675e428accc1c63d.
Updated by Viktor Gurov about 2 years ago
Updated by Jim Pingle about 2 years ago
- Status changed from Feedback to New
This is giving an error when it tries to process the keys. When run with sh -x, it shows:
+ [ -s {/tmp/mnt_recovery}/etc/ssh/ssh_host{rsa ed25519}_key -a -s {/tmp/mnt_recovery}/etc/ssh/ssh_host{rsa ed25519}_key.pub ]
[: {/tmp/mnt_recovery}/etc/ssh/ssh_host{rsa: unexpected operator
Looking at the code, this line:
for keytype in "rsa ed25519"; do
Shouldn't have quotes around the items to iterate. It should be:
for keytype in rsa ed25519; do
That error is repeated in both the recover_configxml.sh script and also in the corresponding installer code in the src repo (usr.sbin/bsdinstall/scripts/auto).
Additionally, even when fixing that, the etc dir is not present. When importing the pfSense pool it isn't mounting pfSense/ROOT/default so it doesn't have a lot of the content such as /etc/, so it can't find the SSH keys to copy.
Updated by Viktor Gurov about 2 years ago
Jim Pingle wrote in #note-5:
This is giving an error when it tries to process the keys. When run with
sh -x, it shows:[...]
Looking at the code, this line:
[...]Shouldn't have quotes around the items to iterate. It should be:
[...]That error is repeated in both the recover_configxml.sh script and also in the corresponding installer code in the src repo (
usr.sbin/bsdinstall/scripts/auto).Additionally, even when fixing that, the
etcdir is not present. When importing the pfSense pool it isn't mountingpfSense/ROOT/defaultso it doesn't have a lot of the content such as/etc/, so it can't find the SSH keys to copy.
As I understand recover_configxml.sh mounts all pool datasets -
https://github.com/pfsense/pfsense/blob/master/tools/installer/recover_configxml.sh#L95:
/sbin/zpool import -R ${recovery_mount} -f pfSense
There is no code to zpool/zfs/mount
pfSense/cf/conf dataset
recover_configxml.sh fix: https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/689usr.sbin/bsdinstall/scripts/auto fix: https://gitlab.netgate.com/pfSense/FreeBSD-src/-/merge_requests/67
Updated by Jim Pingle about 2 years ago
Viktor Gurov wrote in #note-6:
Additionally, even when fixing that, the
etcdir is not present. When importing the pfSense pool it isn't mountingpfSense/ROOT/defaultso it doesn't have a lot of the content such as/etc/, so it can't find the SSH keys to copy.As I understand
recover_configxml.shmounts all pool datasets -
https://github.com/pfsense/pfsense/blob/master/tools/installer/recover_configxml.sh#L95:
[...]
There is no code to zpool/zfs/mountpfSense/cf/confdataset
recover_configxml.shfix: https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/689usr.sbin/bsdinstall/scripts/autofix: https://gitlab.netgate.com/pfSense/FreeBSD-src/-/merge_requests/65
In theory what it's doing should work, perhaps, but it does not work in practice. Try the command from a rescue shell in the installer (drop to a shell from the first menu that prompts for install or recovery). It mounts some, but not all, of the datasets. The pfSense/ROOT/default dataset is one that is missing, and it contains /etc from the installation. Do a find on all mounted partitions, the keys are not present on any mount point. If you manually do something like /sbin/mount -t zfs pfSense/ROOT/default /mnt/<somewhere> then it's present.
Updated by Christian McDonald almost 2 years ago
With the changes to the ZFS layout to support Boot Environments, it is now required to determine the dataset path programmatically instead of assuming it's 'pfSense/ROOT/default'. I've pointed Viktor to some utility functions that are useful for this.
Updated by Jim Pingle almost 2 years ago
- Assignee changed from Viktor Gurov to Jim Pingle
I'll fix the recover_configxml.sh part up. I have some code I'm testing now.
Updated by Jim Pingle almost 2 years ago
- Status changed from New to Feedback
Applied in changeset c5eea3996c8ab0aa28a720725adbca7d85cf34e4.
Updated by Jim Pingle almost 2 years ago
Additional related fix: https://github.com/pfsense/FreeBSD-src/commit/f08bce6597c45c349a77b302d1f5a538d2283110
Updated by Jim Pingle almost 2 years ago
- Status changed from Feedback to In Progress
The recover_configxml.sh part is working, I see the console message that it recovered the SSH keys. However, they are still not present after the install finishes.
Probably some part of the FS is not mounted right at the end of the auto script part.
Updated by Jim Pingle almost 2 years ago
- Status changed from In Progress to Feedback
Hopefully the last fix necessary: https://github.com/pfsense/FreeBSD-src/commit/2f579c0ea863e061339bce682259dddc7d27c9a7
Updated by Jim Pingle almost 2 years ago
- Status changed from Feedback to Resolved
Works great on the latest snapshot
Updated by Jim Pingle almost 2 years ago
- Subject changed from Recover SSH Keys option in the installer to Recover existing SSH keys during installation
Updating subject for release notes.