dfinity · andrewbattat · Jan 21, 2025 · Jan 21, 2025 · Jan 21, 2025 · Jan 21, 2025
@@ -46,7 +46,7 @@ serve as a guide on how to add further actions.
 
 === ssh key generation
 
-The `setup-ssh-keys` (and corresponding shell script) service performs one of
+The `generate-host-ssh-keys` (and corresponding shell script) service performs one of
 two things: If this is the first boot ever (on a newly installed system), it
 generates ssh keys and stashes them away in a location that is preserved across
 reboots and in the future upgrades.

@@ -20,7 +20,7 @@ service are started in the IC-OS boot sequence:
 
 - Config injection
 
-- Set up ssh account keys
+- Set up ssh user keys
 
 - Generate network configuration
 
@@ -53,7 +53,7 @@ Relevant information can be found in the guestos link:../../guestos/docs/Boot.ad
 
 == Set up ssh host keys
 
-Service: `setup-ssh-keys.service`, script: `/opt/ic/bin/setup-ssh-keys.sh`,
+Service: `generate-host-ssh-keys.service`, script: `/opt/ic/bin/generate-host-ssh-keys.sh`,
 depends on `/boot/config` mount.
 
 This checks if ssh host keys for the system exist in the `config` partition
@@ -83,9 +83,9 @@ USB stick" attached to the VM that contains a tar file with initial configuratio
 for parts of the system (see link:ConfigStore{outfilesuffix}[config store] for a description). Required
 files in the `config` partition as well as payload store are created.
 
-== Set up ssh account keys
+== Set up ssh user keys
 
-Service: `setup-ssh-account-keys.services`, script `/opt/ic/bin/setup-ssh-account-keys.sh`.
+Service: `setup-ssh-user-keys.services`, script `/opt/ic/bin/setup-ssh-user-keys.sh`.
 Depends on `bootstrap-ic-node.service`.
 
 The `authorized_keys` files for the role accounts are taken from the

@@ -56,8 +56,8 @@ component_files = {
     Label("boundary-guestos/etc/systemd/system/setup-ic-gateway.service"): "/etc/systemd/system/setup-ic-gateway.service",
     Label("boundary-guestos/etc/systemd/system/setup-lvs.service"): "/etc/systemd/system/setup-lvs.service",
     Label("boundary-guestos/etc/systemd/system/setup-nftables.service"): "/etc/systemd/system/setup-nftables.service",
-    Label("boundary-guestos/etc/systemd/system/setup-ssh-account-keys.service"): "/etc/systemd/system/setup-ssh-account-keys.service",
-    Label("boundary-guestos/etc/systemd/system/setup-ssh-keys.service"): "/etc/systemd/system/setup-ssh-keys.service",
+    Label("boundary-guestos/etc/systemd/system/setup-ssh-user-keys.service"): "/etc/systemd/system/setup-ssh-user-keys.service",
+    Label("boundary-guestos/etc/systemd/system/generate-host-ssh-keys.service"): "/etc/systemd/system/generate-host-ssh-keys.service",
     Label("boundary-guestos/etc/systemd/system/setup-var-log.service"): "/etc/systemd/system/setup-var-log.service",
     Label("boundary-guestos/etc/systemd/system/setup-vector.service"): "/etc/systemd/system/setup-vector.service",
     Label("boundary-guestos/etc/systemd/system/setup-version-metric.service"): "/etc/systemd/system/setup-version-metric.service",
@@ -86,8 +86,8 @@ component_files = {
     Label("boundary-guestos/opt/ic/bin/setup-ic-gateway.sh"): "/opt/ic/bin/setup-ic-gateway.sh",
     Label("boundary-guestos/opt/ic/bin/setup-lvs.sh"): "/opt/ic/bin/setup-lvs.sh",
     Label("boundary-guestos/opt/ic/bin/setup-nftables.sh"): "/opt/ic/bin/setup-nftables.sh",
-    Label("boundary-guestos/opt/ic/bin/setup-ssh-account-keys.sh"): "/opt/ic/bin/setup-ssh-account-keys.sh",
-    Label("boundary-guestos/opt/ic/bin/setup-ssh-keys.sh"): "/opt/ic/bin/setup-ssh-keys.sh",
+    Label("boundary-guestos/opt/ic/bin/setup-ssh-user-keys.sh"): "/opt/ic/bin/setup-ssh-user-keys.sh",
+    Label("boundary-guestos/opt/ic/bin/generate-host-ssh-keys.sh"): "/opt/ic/bin/generate-host-ssh-keys.sh",
     Label("boundary-guestos/opt/ic/bin/setup-var-encryption.sh"): "/opt/ic/bin/setup-var-encryption.sh",
     Label("boundary-guestos/opt/ic/bin/setup-var-log.sh"): "/opt/ic/bin/setup-var-log.sh",
     Label("boundary-guestos/opt/ic/bin/setup-vector.sh"): "/opt/ic/bin/setup-vector.sh",

@@ -2,11 +2,11 @@
 Description=Bootstrap the IC node
 Requires=var-log.mount
 After=var-log.mount
-Before=setup-ssh-account-keys.service
+Before=setup-ssh-user-keys.service
 
 [Install]
 WantedBy=multi-user.target
-RequiredBy=setup-ssh-account-keys.service
+RequiredBy=setup-ssh-user-keys.service
 
 [Service]
 Type=oneshot

@@ -8,7 +8,7 @@ Before=ssh.service
 [Service]
 Type=oneshot
 RemainAfterExit=true
-ExecStart=/opt/ic/bin/setup-ssh-keys.sh
+ExecStart=/opt/ic/bin/generate-host-ssh-keys.sh
 
 [Install]
 WantedBy=multi-user.target
@@ -1,5 +1,5 @@
 [Unit]
-Description=Set up ssh account keys
+Description=Set up ssh user keys
 Before=ssh.service
 # bootstrap-ic-node.service (if it exists) lists this service as a reverse dependency
 
@@ -9,7 +9,7 @@ WantedBy=multi-user.target
 [Service]
 Type=oneshot
 RemainAfterExit=true
-ExecStart=/opt/ic/bin/setup-ssh-account-keys.sh
+ExecStart=/opt/ic/bin/setup-ssh-user-keys.sh
 
 # All services that networking depends on log their outputs to the console 
 # and are piped to the host terminal if the verbose flag is enabled.

@@ -140,10 +140,10 @@ component_files = {
 
     # ssh
     Label("ssh/provision-ssh-keys.sh"): "/opt/ic/bin/provision-ssh-keys.sh",
-    Label("ssh/setup-ssh-keys/setup-ssh-keys.sh"): "/opt/ic/bin/setup-ssh-keys.sh",
-    Label("ssh/setup-ssh-keys/setup-ssh-keys.service"): "/etc/systemd/system/setup-ssh-keys.service",
-    Label("ssh/setup-ssh-account-keys/setup-ssh-account-keys.sh"): "/opt/ic/bin/setup-ssh-account-keys.sh",
-    Label("ssh/setup-ssh-account-keys/setup-ssh-account-keys.service"): "/etc/systemd/system/setup-ssh-account-keys.service",
+    Label("ssh/generate-host-ssh-keys/generate-host-ssh-keys.sh"): "/opt/ic/bin/generate-host-ssh-keys.sh",
+    Label("ssh/generate-host-ssh-keys/generate-host-ssh-keys.service"): "/etc/systemd/system/generate-host-ssh-keys.service",
+    Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.sh"): "/opt/ic/bin/setup-ssh-user-keys.sh",
+    Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.service"): "/etc/systemd/system/setup-ssh-user-keys.service",
     Label("ssh/read-ssh-keys.sh"): "/opt/ic/bin/read-ssh-keys.sh",
 
     # upgrade

@@ -85,12 +85,12 @@ component_files = {
     Label("networking/hosts"): "/etc/hosts",
 
     # ssh
-    Label("ssh/setup-ssh-keys/setup-ssh-keys.sh"): "/opt/ic/bin/setup-ssh-keys.sh",
-    Label("ssh/setup-ssh-keys/setup-ssh-keys.service"): "/etc/systemd/system/setup-ssh-keys.service",
-    Label("ssh/setup-ssh-account-keys/setup-ssh-account-keys.sh"): "/opt/ic/bin/setup-ssh-account-keys.sh",
-    Label("ssh/setup-ssh-account-keys/setup-ssh-account-keys.service"): "/etc/systemd/system/setup-ssh-account-keys.service",
-    Label("ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.sh"): "/opt/ic/bin/deploy-updated-ssh-account-keys.sh",
-    Label("ssh/deploy-updated-ssh-account-keys/deploy-updated-ssh-account-keys.service"): "/etc/systemd/system/deploy-updated-ssh-account-keys.service",
+    Label("ssh/generate-host-ssh-keys/generate-host-ssh-keys.sh"): "/opt/ic/bin/generate-host-ssh-keys.sh",
+    Label("ssh/generate-host-ssh-keys/generate-host-ssh-keys.service"): "/etc/systemd/system/generate-host-ssh-keys.service",
+    Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.sh"): "/opt/ic/bin/setup-ssh-user-keys.sh",
+    Label("ssh/setup-ssh-user-keys/setup-ssh-user-keys.service"): "/etc/systemd/system/setup-ssh-user-keys.service",
+    Label("ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.sh"): "/opt/ic/bin/deploy-updated-ssh-user-keys.sh",
+    Label("ssh/deploy-updated-ssh-user-keys/deploy-updated-ssh-user-keys.service"): "/etc/systemd/system/deploy-updated-ssh-user-keys.service",
 
     # upgrade
     Label("upgrade/manageboot/manageboot.sh"): "/opt/ic/bin/manageboot.sh",

@@ -6,7 +6,7 @@ serve as a guide on how to add further actions.
 
 == ssh key generation
 
-The +ssh/setup-ssh-keys+ (and corresponding shell script) service performs one of
+The +ssh/generate-host-ssh-keys+ (and corresponding shell script) service performs one of
 two things: If this is the first boot ever (on a newly installed system), it
 generates ssh keys and stashes them away in a location that is preserved across
 upgrades. On first boot after an upgrade, it integrates the keys from their

@@ -7,11 +7,11 @@ Requires=var-lib-ic-crypto.mount
 After=var-lib-ic-crypto.mount
 Requires=var-lib-ic-backup.mount
 After=var-lib-ic-backup.mount
-Before=setup-ssh-account-keys.service
+Before=setup-ssh-user-keys.service
 
 [Install]
 WantedBy=multi-user.target
-RequiredBy=setup-ssh-account-keys.service
+RequiredBy=setup-ssh-user-keys.service
 
 [Service]
 Type=oneshot

@@ -0,0 +1,12 @@
+[Unit]
+Description=Update ssh user keys
+Before=setup-ssh-user-keys.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart=/opt/ic/bin/deploy-updated-ssh-user-keys.sh
+
+[Install]
+RequiredBy=setup-ssh-user-keys.service
+WantedBy=multi-user.target
@@ -8,7 +8,7 @@ Before=ssh.service
 [Service]
 Type=oneshot
 RemainAfterExit=true
-ExecStart=/opt/ic/bin/setup-ssh-keys.sh
+ExecStart=/opt/ic/bin/generate-host-ssh-keys.sh
 
 [Install]
 WantedBy=multi-user.target
@@ -1,5 +1,5 @@
 [Unit]
-Description=Set up ssh account keys
+Description=Set up ssh user keys
 Before=ssh.service
 # bootstrap-ic-node.service (if it exists) lists this service as a reverse dependency
 
@@ -9,7 +9,7 @@ WantedBy=multi-user.target
 [Service]
 Type=oneshot
 RemainAfterExit=true
-ExecStart=/opt/ic/bin/setup-ssh-account-keys.sh
+ExecStart=/opt/ic/bin/setup-ssh-user-keys.sh
 
 # All services that networking depends on log their outputs to the console 
 # and are piped to the host terminal if the verbose flag is enabled.

@@ -30,7 +30,7 @@ service are started in the IC-OS boot sequence:
 
 - IC node config injection
 
-- Set up ssh account keys
+- Set up ssh user keys
 
 - Generate network configuration
 
@@ -111,7 +111,7 @@ system will set up its own +/var+ filesystem correctly again.
 
 == Set up ssh host keys
 
-Service: +setup-ssh-keys.service+, script: +/opt/ic/bin/setup-ssh-keys.sh+,
+Service: +generate-host-ssh-keys.service+, script: +/opt/ic/bin/generate-host-ssh-keys.sh+,
 depends on +/boot/config+ mount.
 
 This checks if ssh host keys for the system exist in the +config+ partition
@@ -170,18 +170,18 @@ USB stick" attached to the VM that contains a tar file with initial configuratio
 for parts of the system. Required files in the +config+ partition as well as 
 payload store are created.
 
-== Deploy updated ssh account keys
+== Deploy updated ssh user keys
 
-Service: +deploy-updated-ssh-account-keys.service+, +deploy-updated-ssh-account-keys.sh+.
-Depends on +bootstrap-ic-node.service+, runs before +setup-ssh-account-keys.service+.
+Service: +deploy-updated-ssh-user-keys.service+, +deploy-updated-ssh-user-keys.sh+.
+Depends on +bootstrap-ic-node.service+, runs before +setup-ssh-user-keys.service+.
 
 Changes the keys held in the +config+ partition for the +backup+ and +readonly+ user. This
 is a work-around due to not having a key management solution that updated keys are
 deployed via system upgrades.
 
-== Set up ssh account keys
+== Set up ssh user keys
 
-Service: +setup-ssh-account-keys.services+, script +/opt/ic/bin/setup-ssh-account-keys.sh+.
+Service: +setup-ssh-user-keys.services+, script +/opt/ic/bin/setup-ssh-user-keys.sh+.
 Depends on +bootstrap-ic-node.service+.
 
 The +authorized_keys+ files for the role accounts are taken from the