Bug 474720

Summary: freenx-server should not generate or copy any keys in %post
Product: [Fedora] Fedora Reporter: Warren Togami <wtogami>
Component: freenx-serverAssignee: Axel Thimm <Axel.Thimm>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: gwync
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 0.7.3-15.fc10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-10 21:40:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 188611    

Description Warren Togami 2008-12-04 23:48:22 UTC 
%post
if test ! -e /etc/nxserver/users.id_dsa; then
  %{_bindir}/ssh-keygen -q -t dsa -N "" -f /etc/nxserver/users.id_dsa
fi

if ! test -e /etc/nxserver/client.id_dsa.key -a -e /etc/nxserver/server.id_dsa.pub.key; then
  %{_bindir}/ssh-keygen -q -t dsa -N "" -f /etc/nxserver/local.id_dsa
  mv -f /etc/nxserver/local.id_dsa /etc/nxserver/client.id_dsa.key
  mv -f /etc/nxserver/local.id_dsa.pub /etc/nxserver/server.id_dsa.pub.key
fi

echo -n "127.0.0.1 " > /var/lib/nxserver/home/.ssh/known_hosts
# We do depend on openssh-server, but package installation != key
# creation time. See also Fedora bug #235592
cat /etc/ssh/ssh_host_rsa_key.pub >> /var/lib/nxserver/home/.ssh/known_hosts 2>/dev/null
chown nx:root /var/lib/nxserver/home/.ssh/known_hosts

This is related to Bug #235592, but goes even further.  None of this should happen during %post of freenx-server.  Why?  If you install freenx-server in a chroot to be included in an image, then you are packaging ssh keys that are no longer unique.

All of this should be moved to a shell script to be run once by the system administrator after the system has booted for real.  This would also solve Bug #235592.  There is no way around the necessity of this.
Comment 1 Warren Togami 2008-12-04 23:50:04 UTC 
Correction: None of the key generation or copying should happen during %post.  User creation and other things are OK.
Comment 2 Fedora Update System 2009-07-25 23:11:12 UTC 
freenx-server-0.7.3-14.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/freenx-server-0.7.3-14.fc10
Comment 3 Fedora Update System 2009-07-25 23:11:54 UTC 
freenx-server-0.7.3-14.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/freenx-server-0.7.3-14.fc11
Comment 4 Fedora Update System 2009-07-27 21:30:12 UTC 
freenx-server-0.7.3-14.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update freenx-server'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-8023
Comment 5 Fedora Update System 2009-07-27 21:31:07 UTC 
freenx-server-0.7.3-14.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update freenx-server'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8022
Comment 6 Fedora Update System 2009-08-01 23:54:04 UTC 
freenx-server-0.7.3-15.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update freenx-server'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8022
Comment 7 Fedora Update System 2009-08-01 23:57:56 UTC 
freenx-server-0.7.3-15.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update freenx-server'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-8023
Comment 8 Fedora Update System 2009-08-10 21:39:48 UTC 
freenx-server-0.7.3-15.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2009-08-10 21:52:11 UTC 
freenx-server-0.7.3-15.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.