slaprunner: drop ssh key authority

These keys are not managed by trust of a certificate authority, just by
"trust of first use" so it does not make sense to use a key authority.

This also cause difficulties to publish the key fingerprint as a
parameter, because we can't get the key fingerprint until the authority
service is started.

Also enable ecdsa key.

Existing webrunners will have a new ssh host key after this.

software/slaprunner/buildout.hash.cfg

@@ -18,7 +18,7 @@ md5sum = 8b78e32b877d591400746ec7fd68ed4c
 
 [template-runner]
 filename = instance-runner.cfg
-md5sum = e13150f71bf68ad0f3e1af320511ba90
+md5sum = 3065da28005b0c904cd3cf1b3f638bfb
 
 [template-runner-import-script]
 filename = template/runner-import.sh.jinja2
@@ -26,7 +26,7 @@ md5sum = fc22e2d2f03ce58631f157a5b4943e15
 
 [instance-runner-import]
 filename = instance-runner-import.cfg.in
-md5sum = b450c474464a326f3d0b98728460ac97
+md5sum = d2c140c31fdda993834a023b331fb69f
 
 [instance-runner-export]
 filename = instance-runner-export.cfg.in

software/slaprunner/instance-runner-import.cfg.in

@@ -16,8 +16,6 @@ parts +=
   runner-sshd-add-authorized-key
   runner-sshd-graceful
   runner-sshd-promise
-  runner-sshkeys-authority
-  runner-sshkeys-authority-service
   runner-sshkeys-sshd
   runner-sshkeys-sshd-service
   runtestsuite

software/slaprunner/instance-runner.cfg

@@ -17,8 +17,6 @@ common-runner-parts =
   runner-sshd-add-authorized-key
   runner-sshd-graceful
   runner-sshd-promise
-  runner-sshkeys-authority
-  runner-sshkeys-authority-service
   runner-sshkeys-sshd
   runner-sshkeys-sshd-service
   runtestsuite
@@ -256,14 +254,14 @@ ip = $${slap-network-information:global-ipv6}
 recipe = slapos.recipe.template:jinja2
 rendered = $${directory:etc}/runner-sshd.conf
 path_pid = $${directory:run}/runner-sshd.pid
-host_key = $${directory:ssh}/runner_server_key.rsa
 template = inline:
   PidFile $${:path_pid}
   Port $${runner-sshd-port:port}
   ListenAddress $${slap-network-information:global-ipv6}
   Protocol 2
   UsePrivilegeSeparation no
-  HostKey $${:host_key}
+  HostKey $${runner-sshd-ssh-host-rsa-key:output}
+  HostKey $${runner-sshd-ssh-host-ecdsa-key:output}
   PasswordAuthentication no
   PubkeyAuthentication yes
   AuthorizedKeysFile $${buildout:directory}/.ssh/authorized_keys
@@ -276,7 +274,7 @@ host = $${slap-network-information:global-ipv6}
 rsa-keyfile = $${runner-sshd-config:host_key}
 home = $${directory:ssh}
 command-line = ${openssh:location}/sbin/sshd -D -e -f $${runner-sshd-config:rendered}
-wrapper-path = $${directory:bin}/runner_raw_sshd
+wrapper-path = $${directory:bin}/runner-sshd
 
 [runner-sshd-authorized-key]
 <= runner-sshd-raw-server
@@ -289,7 +287,7 @@ log = $${directory:log}/runner-sshd.log
 input = inline:#!/bin/sh
     exec $${runner-sshd-raw-server:wrapper-path} >> $${:log} 2>&1
 
-output = $${directory:bin}/runner_raw_sshd_log
+output = $${directory:services}/runner-sshd
 mode = 700
 
 [runner-sshd-graceful]
@@ -297,34 +295,6 @@ recipe = slapos.cookbook:wrapper
 command-line = $${directory:bin}/killpidfromfile $${runner-sshd-config:path_pid} SIGHUP
 wrapper-path = $${directory:scripts}/runner-sshd-graceful
 
-[runner-sshkeys-directory]
-recipe = slapos.cookbook:mkdirectory
-requests = $${directory:sshkeys}/runner-requests/
-keys = $${directory:sshkeys}/runner-keys/
-
-[runner-sshkeys-authority]
-recipe = slapos.cookbook:sshkeys_authority
-request-directory = $${runner-sshkeys-directory:requests}
-keys-directory = $${runner-sshkeys-directory:keys}
-wrapper = $${directory:bin}/runner_sshkeys_authority
-keygen-binary = ${openssh:location}/bin/ssh-keygen
-
-[runner-sshkeys-authority-service]
-recipe = slapos.cookbook:wrapper
-command-line = $${runner-sshkeys-authority:wrapper}
-wrapper-path = $${directory:services}/runner-sshkeys-authority
-hash-existing-files = $${buildout:directory}/software_release/buildout.cfg
-
-[runner-sshkeys-sshd]
-<= runner-sshkeys-authority
-recipe = slapos.cookbook:sshkeys_authority.request
-name = sshd
-type = rsa
-executable = $${runner-sshd-server:output}
-public-key = $${runner-sshd-raw-server:rsa-keyfile}.pub
-private-key = $${runner-sshd-raw-server:rsa-keyfile}
-wrapper = $${directory:bin}/runner-sshd
-
 [runner-sshkeys-sshd-service]
 recipe = slapos.cookbook:wrapper
 command-line = $${runner-sshkeys-sshd:wrapper}
@@ -336,10 +306,22 @@ recipe = slapos.cookbook:dropbear.add_authorized_key
 home = $${buildout:directory}
 key = $${slap-parameter:user-authorized-key}
 
+[runner-sshd-ssh-keygen-base]
+recipe = plone.recipe.command
+output = $${directory:etc}/$${:_buildout_section_name_}
+command = ${openssh-output:keygen} -f $${:output} -N '' $${:extra-args}
+
+[runner-sshd-ssh-host-rsa-key]
+<=runner-sshd-ssh-keygen-base
+extra-args=-t rsa
+[runner-sshd-ssh-host-ecdsa-key]
+<=runner-sshd-ssh-keygen-base
+extra-args=-t ecdsa -b 521
+
 [runner-sshkeys-publickey-fingerprint-cmd]
 recipe = plone.recipe.command
 stop-on-error = true
-command = bash -o pipefail -c "$${runner-sshkeys-authority:keygen-binary} -lf $${runner-sshkeys-sshd:public-key} | cut  -f 2 -d\ | sed 's/+/%2B/g' | sed 's/\//%2F/g' | sed 's/SHA256://'"
+command = bash -o pipefail -c "$${runner-sshkeys-authority:keygen-binary} -lf $${runner-sshd-ssh-host-ecdsa-key:output} | cut  -f 2 -d\ | sed 's/+/%2B/g' | sed 's/\//%2F/g' | sed 's/SHA256://'"
 
 [runner-sshkeys-publickey-fingerprint-shelloutput]
 recipe = collective.recipe.shelloutput

software/slaprunner/test/test.py

@@ -246,7 +246,6 @@ class ServicesTestCase(SlaprunnerTestCase):
     ]
     expected_process_names = [
       'slaprunner-supervisord-{hash}-on-watch',
-      'runner-sshkeys-authority-{hash}-on-watch',
       'runner-sshd-{hash}-on-watch',
       'slaprunner-httpd-{hash}-on-watch',
       'gunicorn-{hash}-on-watch',