tinyssh-convert behavior changes

[mFlorianW]

Since version 20210601 of tinyssh which since today(10-13-2021) is installed on Arch Linux machines. It contains an own tinyssh-convert. This one behave other then the tinyssh-convert which is usually used on an Arch Linux installation and since today(10-13-2021) it is removed when installing the new tinyssh package.

1. First the new tinyssh-convert doesn't generate the keys when key dir already exists.
2. The commandline arguments changed.

[ArchangeGabriel]

• First the new tinyssh-convert doesn't generate the keys when key dir already exists.

That’s a feature to me. I already have keys there, I don’t want them to be automatically switched to openssh ones. Actually I don’t think it’s a good idea to convert them automatically in any case, it should be a conscious user action.

[mFlorianW]

I don't now the old the exact behavior of the tinyssh-convert but for me it looks like that the keys are always converted when the initramfs is generated.

The only thing I saw today was error messages when generating the initramfs. If somebody can explain me how the old behavior was I will change it to that.

[ArchangeGabriel]

No you’re right about old behaviour, but until now one could escape automatic rewrite of keys by not installing tinyssh-convert (it resulted in an error during initramfs generation but would still work OK). Now one has either to NoExtract it or actually depend on the behaviour for keys not being overwritten.

[referi]

got this error today on my fresh install (resently it was ok) ==> ERROR: command failure (100): tinyssh-convert -f /etc/ssh/ssh_host_ed25519_key -d /etc/tinyssh/sshkeydir tinyssh-convert: usage: tinyssh-convert out-tinysshkeydir < in-opensshfile

[borislavba]

What about an option in e.g. /etc/mkinitcpio-systemd-tool/mkinitcpio-systemd-tool.conf (or /etc/conf.d/mkinitcpio-systemd-tool) like DoOpenSSHConvert=yes|no|true|false|1|0 ? If it is true (default in order to be in line with the old behavior), check for existence of /etc/sshd/ and try to convert them, else give error if there is no such dir or something like this. If it is false, check for existence of /etc/tinyssh/sshkeydir/ and tell the user to generate them if not. Some people (I'm evaluating this for some reasons) may use only tinyssh without openssh installed/configured.

And about the pull request, shouldn't there be a line like below after the conversion? chmod -R go-rwX $keydir It's working fine with it and it's better security-wise...

[mFlorianW]

The option and file rights is a good point, I will look into that this evening.

[mFlorianW]

I updated the PR with a config file to enable or disable the key transformation. I added additional check for the openssh key also.

[ArchangeGabriel]

Outside from @borislavba comments, fine for me. :)

[mFlorianW]

Hey I changed the variable to true and false and install the config file to /etc/conf.d/mkinitcpio-systemd-tool. I had to remove the .conf file extension otherwise the wildcard install "src/*.conf" would install the file into /etc/mkinitcpio.systemd/config anyway.