From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail-eopbgr60056.outbound.protection.outlook.com ([40.107.6.56] helo=EUR04-DB3-obe.outbound.protection.outlook.com) by metis.ext.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1k95EI-0000KZ-3Y for ptxdist@pengutronix.de; Fri, 21 Aug 2020 13:29:07 +0200 Received: from nbmx01.hytera.de (unknown [172.21.102.22]) by ibmx32.hytera.de (Postfix) with ESMTP id 767A811472 for ; Fri, 21 Aug 2020 13:28:50 +0200 (CEST) From: Christian Hermann Date: Fri, 21 Aug 2020 13:29:02 +0200 Message-Id: <20200821112902.17281-2-christian.hermann@hytera.de> In-Reply-To: <20200821112902.17281-1-christian.hermann@hytera.de> References: <20200821112902.17281-1-christian.hermann@hytera.de> MIME-Version: 1.0 Subject: [ptxdist] [PATCH 1/1] openssh/rc-once: iterate over configured hostkeys List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de ...instead of relying on a hardcoded list of keytypes. Some cleanup was performed as well: * merge key gathering functions * absence of sshd_config was tested but properly progagated and therefore not properly handled. Tested with sed implementations of busybox-1.31.1, toybox-0.8.3 and GNU. Signed-off-by: Christian Hermann --- projectroot/etc/rc.once.d/openssh | 50 +++++++++++++------------------ 1 file changed, 20 insertions(+), 30 deletions(-) diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh index fe8b00691..7535aa4ba 100644 --- a/projectroot/etc/rc.once.d/openssh +++ b/projectroot/etc/rc.once.d/openssh @@ -3,43 +3,33 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin get_hostkeys() { - [ -f /etc/ssh/sshd_config ] || return - sed -n 's/^HostKey[ \t][ \t]*\(.*\)/\1/p' /etc/ssh/sshd_config -} - -host_keys_required() { - hostkeys="$(get_hostkeys)" - if [ "$hostkeys" ]; then - echo "$hostkeys" - else - # No HostKey directives found, so we pick secure defaults - echo /etc/ssh/ssh_host_ed25519_key - fi + hostkeys="$(sed -E -n -e 's/^HostKey[[:space:]]+(.*)/\1/p' /etc/ssh/sshd_config)" || return + # pick secure defaults if no HostKey directives are found + : "${hostkeys:=/etc/ssh/ssh_host_ed25519_key}" + echo "$hostkeys" } create_key() { - keytype="$1" - shift - hostkeys="$1" - shift - - file="/etc/ssh/ssh_host_${keytype}_key" - - if echo "$hostkeys" | grep -x -F "$file" >/dev/null; then - echo "Create $keytype key; this may take some time ..." - rm -f $file && - ssh-keygen -q -f "$file" -N '' -t "$keytype" "$@" || return - echo "Created $keytype key." - fi + keyfile="$1" + keytype="$(echo "$keyfile" | sed -E -e 's/.*ssh_host_(.*)_key$/\1/')" + + keygen_args= + case "$keytype" in + rsa) keygen_args="-b 4096" ;; + esac + + echo "Create $keytype key; this may take some time ..." + rm -f "$keyfile" && + ssh-keygen -q -f "$keyfile" -N '' -t "$keytype" $keygen_args || return + echo "Created $keytype key." } create_keys() { - hostkeys="$(host_keys_required)" + hostkeys="$(get_hostkeys)" || return - create_key "dsa" "$hostkeys" && - create_key "ecdsa" "$hostkeys" && - create_key "ed25519" "$hostkeys" && - create_key "rsa" "$hostkeys" -b 4096 + for keyfile in $hostkeys; do + create_key "$keyfile" || return + done } if ! create_keys; then -- 2.28.0 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de