I'm building my custom distribution for RPi using Yocto. My distro includes ssh server (dropbear, but the question is valid for openssh also)
One of the annoying things that I notices is that every time I flash a newly-built image to the board, I get a new SSH host key, which in turn causes my ssh client to warn me that the server's host key has changed, and I need to remove the server's fingerprint from /etc/known_hosts
.
I wonder if there is a built-in mechanism for supplying secrets for the build-system without putting them into source-control.
More specifically - is there a way to tell yocto "take this key file as the host key for dropbear/sshd
"?
You can have a recipe that installs the key at the correct location. This key will be generated by you beforehand and "put" into an
externalsrc
recipe (inherit externalsrc
and setEXTERNALSRC
appropriately which can point to any path on the host system). The recipe lives in the version control environment you use but the key stays outside of it. Then you just add the resulting package to your image.