5

How are lines removed from a standard (system) systemd unit file? Here are the details:

ls -la /etc/ssh/ssh_host_*key*

This shows I have unused and unwanted host key types. They are not configured in my sshd_config, but I prefer they not exist at all. If I remove them, they get auto-regenerated.

From what I see, /usr/lib/systemd/system/sshd.service includes:

Wants=sshdgenkeys.service

The contents of that are shown below with cat /usr/lib/systemd/system/sshdgenkeys.service:

[Unit]
Description=SSH Key Generation
ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub

[Service]
ExecStart=/usr/bin/ssh-keygen -A
Type=oneshot
RemainAfterExit=yes

I know I can override or create a unit file setting using systemctl edit, but how are lines like ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key removed?

What I want to end up with is similar to this:

[Unit]
Description=SSH Key Generation
ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub

[Service]
ExecStart=/usr/bin/ssh-keygen -t rsa|ed25519 -a 32
Type=oneshot
RemainAfterExit=yes

I'm not sure that command is correct for ssh-keygen, but that's the general idea. I only want to generate two host key types, not all.

Improve this question
6
  • Can you not just replace the .service file with a symlink to /etc/systemd/system/keygen.service and put the contents of your preferred .service in there? Commented Mar 13, 2020 at 19:43
  • Will that not get removed on a systemd update? Usually, that's what happens, and that's why the recommended approach is to use systemct edit. Am I right? Commented Mar 13, 2020 at 19:45
  • I'm not sure of the exact configuration (I might be missing something) but we use the system above on some embedded linux devices that use systemd and it works perfectly fine. Commented Mar 13, 2020 at 19:46
  • In my experience it works until an update of that unit file comes along, and then your custom setting is reverted. Sure, you can check for it on each update, but that's not ideal. Commented Mar 13, 2020 at 19:48
  • 1
    beware—from the manpage: “Note that for drop-in files, if one wants to remove entries from a setting that is parsed as a list (and is not a dependency), such as AssertPathExists= (or e.g. ExecStart= in service units), one needs to first clear the list before re-adding all entries except the one that is to be removed. Dependencies (After=, etc.) cannot be reset to an empty list, so dependencies can only be added in drop-ins[, not removed]. If you want to remove dependencies, you have to override the entire unit.” (emphasis added) Commented Mar 18, 2022 at 7:42

1 Answer 1

Reset to default
8

In systemd units, lists can typically be reset in overrides by assigning an empty value. This works for conditions too:

If any of these options is assigned the empty string, the list of conditions is reset completely, all previous condition settings (of any kind) will have no effect.

In your override, use this:

ConditionPathExists=
ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
Improve this answer
1
  • 3
    I appreciate this answer. Exactly what I needed to know. That's buried so deep in the docs that I probably never would have found it. :-) Commented Mar 15, 2020 at 21:17

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.