protect sshd host keys

[wommel]

The main systems ssh keys should not be exposed (thats the whole point in encrypting the root partition). A way to acomplish this should at least be documented. Maybe it should even be the default beahviour.

To currently do this you need to:

• uninstall tinyssh-convert if already installed
• remove /etc/tinyssh/sshkeydir/ if already existing
• run tinysshd-makekey /etc/tinyssh/sshkeydir/ to generate unique keys
• change tinysshd ssh port so ssh doesn't complain about changed host key. so create /etc/systemd/system/initrd-tinysshd.service.d/override.conf containing:

  [Service]
  Environment=SSHD_PORT=1234

• regenerate init image, mkinitcpio will complain about tinyssh-convert not exsiting but thats exacly what we want here
• to unlock now remeber to use the changed port ssh -p 1234 root@server

The error message when generating the image should be removed or at least changed to a warning.

I think the most elegant solution would be to put the conversion into a seperate service and maybe provide a file in config for the port.

[Andrei-Pozolotin]

1. thank you for the idea

2. you are welcome to send a PR for a new unit, to be named, say initrd-tinysshd-secure.service, which can rely on new support functions (keys re-gen, key cleanup, etc) to be stored initrd-build.sh

[ArchangeGabriel]

I think that the conversion should not be done automatically at all. This should be an user choice from the start, and also there is no point in running the conversion at each initramfs generation.