How to install SSH host-key using Yocto

Question

I'm building my custom distribution for RPi using Yocto. My distro includes ssh server (dropbear, but the question is valid for openssh also)

One of the annoying things that I notices is that every time I flash a newly-built image to the board, I get a new SSH host key, which in turn causes my ssh client to warn me that the server's host key has changed, and I need to remove the server's fingerprint from /etc/known_hosts.

I wonder if there is a built-in mechanism for supplying secrets for the build-system without putting them into source-control.

More specifically - is there a way to tell yocto "take this key file as the host key for dropbear/sshd"?

Answer 1

You can have a recipe that installs the key at the correct location. This key will be generated by you beforehand and "put" into an externalsrc recipe (inherit externalsrc and set EXTERNALSRC appropriately which can point to any path on the host system). The recipe lives in the version control environment you use but the key stays outside of it. Then you just add the resulting package to your image.

Answer 2

I couldn't get @qschulz solution to work, so I ended up with the following append to openssh (for dropbear only the install location and filename will be different):

# File: recipes-networking/openssh/openssh_%.bbappend
#
# Recipe for installing openssh rsa host key
#

# This variable should be set in your local.conf to point to the host private
# key file
MYDISTRO_HOST_SSH_KEY ?= ""
export MYDISTRO_HOST_SSH_KEY

do_install_append_mydistro() {
    if [ ! -z $MYDISTRO_HOST_SSH_KEY ]; then
        install -d ${D}${sysconfdir}/ssh
        install -m 0600 $MYDISTRO_HOST_SSH_KEY ${D}${sysconfdir}/ssh/ssh_host_rsa_key
    fi
}

FILES_${PN} += "${sysconfdir}/ssh/ssh_host_rsa_key"