[ptxdist] [PATCH v2 0/8] rc-once: Improve re-generation of keys

[ptxdist] [PATCH v2 0/8] rc-once: Improve re-generation of keys

[Alexander Dahl]

Hei hei,

when Michael proposed a small change to the approach I took for openssh
in the first version of this series (which had one patch for openssh
only), I thought that would be a good thing for dropbear also. Then I
looked at the dropbear package and things escalated quickly, a little.

Looks like a lot of patches, but stack one on another and changes per
patch are small and comprehensible, so I hope. However if review shows I
should squash some things, tell me.

Greets
Alex

Alexander Dahl (8):
  dropbear: Adapt menu comment to available options
  dropbear: Move targetinstall of rc-once script
  dropbear: Move shell variables to new common shell lib
  dropbear: Move KEYTYPES to shell lib and set based on menu
  dropbear: Refactor rc-once and init to use KEYTYPES
  dropbear: Support ecdsa keys in rc-once and init
  dropbear: rc-once: Regenerate key if invalid key is found
  openssh: rc-once: Do not overwrite existing keys

 projectroot/etc/init.d/dropbear      | 31 ++++++++++++++---------
 projectroot/etc/rc.once.d/dropbear   | 38 ++++++++++++++++++++--------
 projectroot/etc/rc.once.d/openssh    |  1 +
 projectroot/usr/lib/init/dropbear.sh |  6 +++++
 rules/dropbear.in                    |  2 +-
 rules/dropbear.make                  | 20 +++++++++++----
 6 files changed, 70 insertions(+), 28 deletions(-)
 create mode 100644 projectroot/usr/lib/init/dropbear.sh


base-commit: 51994d1b518323d2975491090a2452d34b1a39f9
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 1/8] dropbear: Adapt menu comment to available options

[Alexander Dahl]

DSS option was removed already.

Fixes: 01ac7cc409b5 ("dropbear: Remove deprecated options")
Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 rules/dropbear.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/dropbear.in b/rules/dropbear.in
index 507ee8e7f..1b32fffb9 100644
--- a/rules/dropbear.in
+++ b/rules/dropbear.in
@@ -260,7 +260,7 @@ config DROPBEAR_SHA512
 	  SHA-1. SHA-2 consists of a set of four hash functions with digests
 	  that are 224, 256, 384 or 512 bits.
 
-comment "Hostkey/public key algorithms, at least one required --- RSA is recommended, DSS is not recommended for new keys"
+comment "Hostkey/public key algorithms, at least one required ---"
 
 config DROPBEAR_RSA
 	bool
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 2/8] dropbear: Move targetinstall of rc-once script

[Alexander Dahl]

Key generation is still needed if someone decides not to install the
init script or uses a different init system.

Fixes: 0e0f5d31e0e0 ("[dropbear] use rc-once to create server keys")
Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 rules/dropbear.make | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/dropbear.make b/rules/dropbear.make
index 536c9176a..901f50563 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -278,6 +278,10 @@ endif
 ifdef PTXCONF_DROPBEAR_DROPBEAR_KEY
 	@$(call install_copy, dropbear, 0, 0, 0755, -, \
 		/usr/bin/dropbearkey)
+
+	@$(call install_alternative, dropbear, 0, 0, 0755, /etc/rc.once.d/dropbear, n)
+	@$(call install_replace, dropbear, /etc/rc.once.d/dropbear, \
+		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
 endif
 
 ifdef PTXCONF_DROPBEAR_DROPBEAR_CONVERT
@@ -300,9 +304,6 @@ ifdef PTXCONF_DROPBEAR_STARTSCRIPT
 	@$(call install_alternative, dropbear, 0, 0, 0755, /etc/init.d/dropbear, n)
 	@$(call install_replace, dropbear, /etc/init.d/dropbear, \
 		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
-	@$(call install_alternative, dropbear, 0, 0, 0755, /etc/rc.once.d/dropbear, n)
-	@$(call install_replace, dropbear, /etc/rc.once.d/dropbear, \
-		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
 
 ifneq ($(call remove_quotes,$(PTXCONF_DROPBEAR_BBINIT_LINK)),)
 	@$(call install_link, dropbear, \
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 3/8] dropbear: Move shell variables to new common shell lib

[Alexander Dahl]

init script and rc-once script use some common variables and
targetinstall replace happens twice for each, so to make things less
complex put those common variables in a common place.

While at it, remove that DROPBEAR_xxxKEY_DEFAULT indirection, which
probably originates in the init script from Debian, which seems was the
base for developing this script at least 15 years ago.

The lib will be extended with more variables later.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 projectroot/etc/init.d/dropbear      | 9 ++-------
 projectroot/etc/rc.once.d/dropbear   | 8 +-------
 projectroot/usr/lib/init/dropbear.sh | 4 ++++
 rules/dropbear.make                  | 8 ++++----
 4 files changed, 11 insertions(+), 18 deletions(-)
 create mode 100644 projectroot/usr/lib/init/dropbear.sh

diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
index 1edda1116..a308aefde 100644
--- a/projectroot/etc/init.d/dropbear
+++ b/projectroot/etc/init.d/dropbear
@@ -7,17 +7,12 @@ NAME=dropbear
 DROPBEAR_PORT=22
 DROPBEAR_EXTRA_ARGS=
 
-# test ! -h /var/service/dropbear || exit 0
+. /usr/lib/init/dropbear.sh
 
-DROPBEAR_RSAKEY_DEFAULT="@KEYDIR@/dropbear_rsa_host_key"
-DROPBEAR_DSSKEY_DEFAULT="@KEYDIR@/dropbear_dss_host_key"
+# test ! -h /var/service/dropbear || exit 0
 
 test -z "$DROPBEAR_BANNER" || \
   DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
-test -n "$DROPBEAR_RSAKEY" || \
-  DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
-test -n "$DROPBEAR_DSSKEY" || \
-  DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
 test -n "$DROPBEAR_KEYTYPES" || \
   DROPBEAR_KEYTYPES="rsa dss"
 
diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
index a126b26db..dd922d727 100644
--- a/projectroot/etc/rc.once.d/dropbear
+++ b/projectroot/etc/rc.once.d/dropbear
@@ -2,13 +2,7 @@
 
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
-DROPBEAR_RSAKEY_DEFAULT="@KEYDIR@/dropbear_rsa_host_key"
-DROPBEAR_DSSKEY_DEFAULT="@KEYDIR@/dropbear_dss_host_key"
-
-test -n "$DROPBEAR_RSAKEY" || \
-  DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
-test -n "$DROPBEAR_DSSKEY" || \
-  DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
+. /usr/lib/init/dropbear.sh
 
 gen_key() {
 
diff --git a/projectroot/usr/lib/init/dropbear.sh b/projectroot/usr/lib/init/dropbear.sh
new file mode 100644
index 000000000..2e3d60f49
--- /dev/null
+++ b/projectroot/usr/lib/init/dropbear.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+DROPBEAR_RSAKEY='@KEYDIR@/dropbear_rsa_host_key'
+DROPBEAR_DSSKEY='@KEYDIR@/dropbear_dss_host_key'
diff --git a/rules/dropbear.make b/rules/dropbear.make
index 901f50563..ce0214d88 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -270,6 +270,10 @@ $(STATEDIR)/dropbear.targetinstall:
 	@$(call install_fixup, dropbear,AUTHOR,"Robert Schwebel <r.schwebel@pengutronix.de>")
 	@$(call install_fixup, dropbear,DESCRIPTION,missing)
 
+	@$(call install_alternative, dropbear, 0, 0, 0644, /usr/lib/init/dropbear.sh)
+	@$(call install_replace, dropbear, /usr/lib/init/dropbear.sh, \
+		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
+
 ifdef PTXCONF_DROPBEAR_DROPBEAR
 	@$(call install_copy, dropbear, 0, 0, 0755, -, \
 		/usr/sbin/dropbear)
@@ -280,8 +284,6 @@ ifdef PTXCONF_DROPBEAR_DROPBEAR_KEY
 		/usr/bin/dropbearkey)
 
 	@$(call install_alternative, dropbear, 0, 0, 0755, /etc/rc.once.d/dropbear, n)
-	@$(call install_replace, dropbear, /etc/rc.once.d/dropbear, \
-		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
 endif
 
 ifdef PTXCONF_DROPBEAR_DROPBEAR_CONVERT
@@ -302,8 +304,6 @@ endif
 
 ifdef PTXCONF_DROPBEAR_STARTSCRIPT
 	@$(call install_alternative, dropbear, 0, 0, 0755, /etc/init.d/dropbear, n)
-	@$(call install_replace, dropbear, /etc/init.d/dropbear, \
-		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
 
 ifneq ($(call remove_quotes,$(PTXCONF_DROPBEAR_BBINIT_LINK)),)
 	@$(call install_link, dropbear, \
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 4/8] dropbear: Move KEYTYPES to shell lib and set based on menu

[Alexander Dahl]

The variable is currently not used, but it will be useful later for key
generation and daemon startup based on actually selected host key types.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 projectroot/etc/init.d/dropbear      | 2 --
 projectroot/usr/lib/init/dropbear.sh | 1 +
 rules/dropbear.make                  | 9 +++++++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
index a308aefde..342565f93 100644
--- a/projectroot/etc/init.d/dropbear
+++ b/projectroot/etc/init.d/dropbear
@@ -13,8 +13,6 @@ DROPBEAR_EXTRA_ARGS=
 
 test -z "$DROPBEAR_BANNER" || \
   DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
-test -n "$DROPBEAR_KEYTYPES" || \
-  DROPBEAR_KEYTYPES="rsa dss"
 
 dropbear_start() {
 
diff --git a/projectroot/usr/lib/init/dropbear.sh b/projectroot/usr/lib/init/dropbear.sh
index 2e3d60f49..e8aa58576 100644
--- a/projectroot/usr/lib/init/dropbear.sh
+++ b/projectroot/usr/lib/init/dropbear.sh
@@ -2,3 +2,4 @@
 
 DROPBEAR_RSAKEY='@KEYDIR@/dropbear_rsa_host_key'
 DROPBEAR_DSSKEY='@KEYDIR@/dropbear_dss_host_key'
+DROPBEAR_KEYTYPES='@KEYTYPES@'
diff --git a/rules/dropbear.make b/rules/dropbear.make
index ce0214d88..bbf99eb14 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -261,6 +261,13 @@ DROPBEAR_INSTALL_OPT	:= install inst_scp
 # Target-Install
 # ----------------------------------------------------------------------------
 
+ifdef PTXCONF_DROPBEAR_RSA
+DROPBEAR_KEY_TYPES	+= rsa
+endif
+ifdef PTXCONF_DROPBEAR_ECDSA
+DROPBEAR_KEY_TYPES	+= ecdsa
+endif
+
 $(STATEDIR)/dropbear.targetinstall:
 	@$(call targetinfo)
 
@@ -273,6 +280,8 @@ $(STATEDIR)/dropbear.targetinstall:
 	@$(call install_alternative, dropbear, 0, 0, 0644, /usr/lib/init/dropbear.sh)
 	@$(call install_replace, dropbear, /usr/lib/init/dropbear.sh, \
 		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
+	@$(call install_replace, dropbear, /usr/lib/init/dropbear.sh, \
+		@KEYTYPES@, '$(DROPBEAR_KEY_TYPES)')
 
 ifdef PTXCONF_DROPBEAR_DROPBEAR
 	@$(call install_copy, dropbear, 0, 0, 0755, -, \
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 5/8] dropbear: Refactor rc-once and init to use KEYTYPES

[Alexander Dahl]

Previously DSS and RSA keys were always generated, regardless if
dropbear was built with support for that host key or not, which somehow
contradicts what commit message of 01ac7cc409b5 ("dropbear: Remove
deprecated options") promised.

No other things changed here, just considering that KEYTYPES list for
'rsa' and 'dss' for now.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 projectroot/etc/init.d/dropbear    | 17 ++++++++++++++---
 projectroot/etc/rc.once.d/dropbear | 26 +++++++++++++++++++++++---
 2 files changed, 37 insertions(+), 6 deletions(-)

diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
index 342565f93..88ef5aa71 100644
--- a/projectroot/etc/init.d/dropbear
+++ b/projectroot/etc/init.d/dropbear
@@ -15,10 +15,21 @@ test -z "$DROPBEAR_BANNER" || \
   DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
 
 dropbear_start() {
-
     KEY_ARGS=""
-    test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY"
-    test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
+    for keytype in $DROPBEAR_KEYTYPES
+    do
+        case "$keytype" in
+            dss)
+                test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY"
+                ;;
+            rsa)
+                test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
+                ;;
+            *)
+                echo "Key type '$keytype' not supported"
+                ;;
+        esac
+    done
 
     echo -n "starting dropbear..."
 
diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
index dd922d727..a9a1d475c 100644
--- a/projectroot/etc/rc.once.d/dropbear
+++ b/projectroot/etc/rc.once.d/dropbear
@@ -5,10 +5,11 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 . /usr/lib/init/dropbear.sh
 
 gen_key() {
-
 	key_type=$1
 	key_file=$2
 
+	[ -e "$key_file" ] && return
+
 	rm -f $key_file > /dev/null 2>&1
 
 	echo -n "generating $key_type key..."
@@ -22,6 +23,25 @@ gen_key() {
 	fi
 }
 
-[ -e "$DROPBEAR_RSAKEY" ] || gen_key rsa "$DROPBEAR_RSAKEY"
-[ -e "$DROPBEAR_DSSKEY" ] || gen_key dss "$DROPBEAR_DSSKEY"
+gen_keys() {
+	for keytype in $DROPBEAR_KEYTYPES
+	do
+		case "$keytype" in
+			dss)
+				gen_key dss "$DROPBEAR_DSSKEY"
+				;;
+			rsa)
+				gen_key rsa "$DROPBEAR_RSAKEY"
+				;;
+			*)
+				echo "Key type '$keytype' not supported"
+				;;
+		esac
+	done
+}
 
+if ! gen_keys
+then
+	echo "Generating SSH keys failed!"
+	exit 1
+fi
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 6/8] dropbear: Support ecdsa keys in rc-once and init

[Alexander Dahl]

With 54afea33423c ("dropbear: Added Elliptic Curve Cryptography
options.") an option was added to built with ecdsa host key support, but
scripts where not adapted back then.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 projectroot/etc/init.d/dropbear      | 3 +++
 projectroot/etc/rc.once.d/dropbear   | 3 +++
 projectroot/usr/lib/init/dropbear.sh | 1 +
 3 files changed, 7 insertions(+)

diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
index 88ef5aa71..f6c1fb06f 100644
--- a/projectroot/etc/init.d/dropbear
+++ b/projectroot/etc/init.d/dropbear
@@ -24,6 +24,9 @@ dropbear_start() {
                 ;;
             rsa)
                 test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
+                ;;
+		    ecdsa)
+                [ -f "$DROPBEAR_ECDSAKEY" ] && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_ECDSAKEY"
                 ;;
             *)
                 echo "Key type '$keytype' not supported"
diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
index a9a1d475c..bfebccfc4 100644
--- a/projectroot/etc/rc.once.d/dropbear
+++ b/projectroot/etc/rc.once.d/dropbear
@@ -33,6 +33,9 @@ gen_keys() {
 			rsa)
 				gen_key rsa "$DROPBEAR_RSAKEY"
 				;;
+			ecdsa)
+				gen_key ecdsa "$DROPBEAR_ECDSAKEY"
+				;;
 			*)
 				echo "Key type '$keytype' not supported"
 				;;
diff --git a/projectroot/usr/lib/init/dropbear.sh b/projectroot/usr/lib/init/dropbear.sh
index e8aa58576..9c9c9aef7 100644
--- a/projectroot/usr/lib/init/dropbear.sh
+++ b/projectroot/usr/lib/init/dropbear.sh
@@ -2,4 +2,5 @@
 
 DROPBEAR_RSAKEY='@KEYDIR@/dropbear_rsa_host_key'
 DROPBEAR_DSSKEY='@KEYDIR@/dropbear_dss_host_key'
+DROPBEAR_ECDSAKEY='@KEYDIR@/dropbear_ecdsa_host_key'
 DROPBEAR_KEYTYPES='@KEYTYPES@'
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 7/8] dropbear: rc-once: Regenerate key if invalid key is found

[Alexander Dahl]

Previously just existence of a key file was checked, which allowed
empty key files or invalid key files to persist. That would have
prevented dropbear server daemon startup.

Note: this does not always regenerate keys, only if rc-once is triggered
and run again for whatever reason.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 projectroot/etc/rc.once.d/dropbear | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
index bfebccfc4..f716bd6ac 100644
--- a/projectroot/etc/rc.once.d/dropbear
+++ b/projectroot/etc/rc.once.d/dropbear
@@ -8,7 +8,8 @@ gen_key() {
 	key_type=$1
 	key_file=$2
 
-	[ -e "$key_file" ] && return
+	# do not overwrite valid key files
+	[ -s "$key_file" ] && dropbearkey -y -f "$key_file" > /dev/null 2>&1 && return
 
 	rm -f $key_file > /dev/null 2>&1
 
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 8/8] openssh: rc-once: Do not overwrite existing keys

[Alexander Dahl]

When storing your keys not in rootfs but on a separate data partition
(using symbolic links or overlay fs), keys are overwritten on each
firmware upgrade which lets rc-once run again (which happens when using
opkg upgrade/update or RAUC in an A/B scheme for example).

Changing keys are at best annoying, but may be interpreted as an attack
as well.

Note: if an empty or invalid key is found, the key is still regenerated.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    v1 (RFC) --> v2
    ---------------
    - Improve check and look at size and if it's a valid key (Michael Olbrich)
    - Reword commit message (swap prefix, adapt reasoning)

 projectroot/etc/rc.once.d/openssh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh
index 545586f07..717d6457e 100644
--- a/projectroot/etc/rc.once.d/openssh
+++ b/projectroot/etc/rc.once.d/openssh
@@ -27,6 +27,7 @@ create_keys() {
 	hostkeys="$(get_hostkeys)" || return
 
 	for keyfile in $hostkeys; do
+		[ -s "$keyfile" ] && ssh-keygen -l -f "${keyfile}.pub" > /dev/null && continue
 		create_key "$keyfile" || return
 	done
 }
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v2 5/8] dropbear: Refactor rc-once and init to use KEYTYPES

[Michael Olbrich]

On Mon, Oct 18, 2021 at 04:35:51PM +0200, Alexander Dahl wrote:
> Previously DSS and RSA keys were always generated, regardless if
> dropbear was built with support for that host key or not, which somehow
> contradicts what commit message of 01ac7cc409b5 ("dropbear: Remove
> deprecated options") promised.
> 
> No other things changed here, just considering that KEYTYPES list for
> 'rsa' and 'dss' for now.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> ---
>  projectroot/etc/init.d/dropbear    | 17 ++++++++++++++---
>  projectroot/etc/rc.once.d/dropbear | 26 +++++++++++++++++++++++---
>  2 files changed, 37 insertions(+), 6 deletions(-)
> 
> diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
> index 342565f93..88ef5aa71 100644
> --- a/projectroot/etc/init.d/dropbear
> +++ b/projectroot/etc/init.d/dropbear
> @@ -15,10 +15,21 @@ test -z "$DROPBEAR_BANNER" || \
>    DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
>  
>  dropbear_start() {
> -
>      KEY_ARGS=""
> -    test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY"
> -    test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
> +    for keytype in $DROPBEAR_KEYTYPES
> +    do
> +        case "$keytype" in
> +            dss)
> +                test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY"
> +                ;;

Isn't dss disabled completely? So do we actually need this?

Michael


> +            rsa)
> +                test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
> +                ;;
> +            *)
> +                echo "Key type '$keytype' not supported"
> +                ;;
> +        esac
> +    done
>  
>      echo -n "starting dropbear..."
>  
> diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
> index dd922d727..a9a1d475c 100644
> --- a/projectroot/etc/rc.once.d/dropbear
> +++ b/projectroot/etc/rc.once.d/dropbear
> @@ -5,10 +5,11 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
>  . /usr/lib/init/dropbear.sh
>  
>  gen_key() {
> -
>  	key_type=$1
>  	key_file=$2
>  
> +	[ -e "$key_file" ] && return
> +
>  	rm -f $key_file > /dev/null 2>&1
>  
>  	echo -n "generating $key_type key..."
> @@ -22,6 +23,25 @@ gen_key() {
>  	fi
>  }
>  
> -[ -e "$DROPBEAR_RSAKEY" ] || gen_key rsa "$DROPBEAR_RSAKEY"
> -[ -e "$DROPBEAR_DSSKEY" ] || gen_key dss "$DROPBEAR_DSSKEY"
> +gen_keys() {
> +	for keytype in $DROPBEAR_KEYTYPES
> +	do
> +		case "$keytype" in
> +			dss)
> +				gen_key dss "$DROPBEAR_DSSKEY"
> +				;;
> +			rsa)
> +				gen_key rsa "$DROPBEAR_RSAKEY"
> +				;;
> +			*)
> +				echo "Key type '$keytype' not supported"
> +				;;
> +		esac
> +	done
> +}
>  
> +if ! gen_keys
> +then
> +	echo "Generating SSH keys failed!"
> +	exit 1
> +fi
> -- 
> 2.30.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v2 6/8] dropbear: Support ecdsa keys in rc-once and init

[Michael Olbrich]

On Mon, Oct 18, 2021 at 04:35:52PM +0200, Alexander Dahl wrote:
> With 54afea33423c ("dropbear: Added Elliptic Curve Cryptography
> options.") an option was added to built with ecdsa host key support, but
> scripts where not adapted back then.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> ---
>  projectroot/etc/init.d/dropbear      | 3 +++
>  projectroot/etc/rc.once.d/dropbear   | 3 +++
>  projectroot/usr/lib/init/dropbear.sh | 1 +
>  3 files changed, 7 insertions(+)
> 
> diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
> index 88ef5aa71..f6c1fb06f 100644
> --- a/projectroot/etc/init.d/dropbear
> +++ b/projectroot/etc/init.d/dropbear
> @@ -24,6 +24,9 @@ dropbear_start() {
>                  ;;
>              rsa)
>                  test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
> +                ;;
> +		    ecdsa)

intention

> +                [ -f "$DROPBEAR_ECDSAKEY" ] && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_ECDSAKEY"

kan wie stick to one syntx: 'test' or '[' but not mixed.

Michael

>                  ;;
>              *)
>                  echo "Key type '$keytype' not supported"
> diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
> index a9a1d475c..bfebccfc4 100644
> --- a/projectroot/etc/rc.once.d/dropbear
> +++ b/projectroot/etc/rc.once.d/dropbear
> @@ -33,6 +33,9 @@ gen_keys() {
>  			rsa)
>  				gen_key rsa "$DROPBEAR_RSAKEY"
>  				;;
> +			ecdsa)
> +				gen_key ecdsa "$DROPBEAR_ECDSAKEY"
> +				;;
>  			*)
>  				echo "Key type '$keytype' not supported"
>  				;;
> diff --git a/projectroot/usr/lib/init/dropbear.sh b/projectroot/usr/lib/init/dropbear.sh
> index e8aa58576..9c9c9aef7 100644
> --- a/projectroot/usr/lib/init/dropbear.sh
> +++ b/projectroot/usr/lib/init/dropbear.sh
> @@ -2,4 +2,5 @@
>  
>  DROPBEAR_RSAKEY='@KEYDIR@/dropbear_rsa_host_key'
>  DROPBEAR_DSSKEY='@KEYDIR@/dropbear_dss_host_key'
> +DROPBEAR_ECDSAKEY='@KEYDIR@/dropbear_ecdsa_host_key'
>  DROPBEAR_KEYTYPES='@KEYTYPES@'
> -- 
> 2.30.2
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v2 5/8] dropbear: Refactor rc-once and init to use KEYTYPES

[Alexander Dahl]

Hello Michael,

Am Freitag, 22. Oktober 2021, 10:44:05 CEST schrieb Michael Olbrich:
> On Mon, Oct 18, 2021 at 04:35:51PM +0200, Alexander Dahl wrote:
> > Previously DSS and RSA keys were always generated, regardless if
> > dropbear was built with support for that host key or not, which somehow
> > contradicts what commit message of 01ac7cc409b5 ("dropbear: Remove
> > deprecated options") promised.
> > 
> > No other things changed here, just considering that KEYTYPES list for
> > 'rsa' and 'dss' for now.
> > 
> > Signed-off-by: Alexander Dahl <ada@thorsis.com>
> > ---
> > 
> >  projectroot/etc/init.d/dropbear    | 17 ++++++++++++++---
> >  projectroot/etc/rc.once.d/dropbear | 26 +++++++++++++++++++++++---
> >  2 files changed, 37 insertions(+), 6 deletions(-)
> > 
> > diff --git a/projectroot/etc/init.d/dropbear
> > b/projectroot/etc/init.d/dropbear index 342565f93..88ef5aa71 100644
> > --- a/projectroot/etc/init.d/dropbear
> > +++ b/projectroot/etc/init.d/dropbear
> > @@ -15,10 +15,21 @@ test -z "$DROPBEAR_BANNER" || \
> > 
> >    DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
> >  
> >  dropbear_start() {
> > 
> > -
> > 
> >      KEY_ARGS=""
> > 
> > -    test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY"
> > -    test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
> > +    for keytype in $DROPBEAR_KEYTYPES
> > +    do
> > +        case "$keytype" in
> > +            dss)
> > +                test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d
> > $DROPBEAR_DSSKEY" +                ;;
> 
> Isn't dss disabled completely? So do we actually need this?

Depends where you look. :-/

The option was removed from ptxdist menu, yes. It is discouraged to use, yes.

For the patch I did not want to refactor and change behaviour at the same 
time, so I would propose another patch for removing dss key support from the 
init and rc-once scripts. Should that come before or after the other changes?

>From dropbear point of view I'm not 100% sure, but I think it's still possible 
to built with dss support. ptxdist does not make an explicit decision on that 
and relies on dropbear internal defaults. Maybe we should disable that 
explicitly? dropbear build is different from standard ways, so it's a little 
harder to pin down all the options.

Greets
Alex

> 
> Michael
> 
> > +            rsa)
> > +                test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r
> > $DROPBEAR_RSAKEY" +                ;;
> > +            *)
> > +                echo "Key type '$keytype' not supported"
> > +                ;;
> > +        esac
> > +    done
> > 
> >      echo -n "starting dropbear..."
> > 
> > diff --git a/projectroot/etc/rc.once.d/dropbear
> > b/projectroot/etc/rc.once.d/dropbear index dd922d727..a9a1d475c 100644
> > --- a/projectroot/etc/rc.once.d/dropbear
> > +++ b/projectroot/etc/rc.once.d/dropbear
> > @@ -5,10 +5,11 @@
> > PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin> 
> >  . /usr/lib/init/dropbear.sh
> >  
> >  gen_key() {
> > 
> > -
> > 
> >  	key_type=$1
> >  	key_file=$2
> > 
> > +	[ -e "$key_file" ] && return
> > +
> > 
> >  	rm -f $key_file > /dev/null 2>&1
> >  	
> >  	echo -n "generating $key_type key..."
> > 
> > @@ -22,6 +23,25 @@ gen_key() {
> > 
> >  	fi
> >  
> >  }
> > 
> > -[ -e "$DROPBEAR_RSAKEY" ] || gen_key rsa "$DROPBEAR_RSAKEY"
> > -[ -e "$DROPBEAR_DSSKEY" ] || gen_key dss "$DROPBEAR_DSSKEY"
> > +gen_keys() {
> > +	for keytype in $DROPBEAR_KEYTYPES
> > +	do
> > +		case "$keytype" in
> > +			dss)
> > +				gen_key dss "$DROPBEAR_DSSKEY"
> > +				;;
> > +			rsa)
> > +				gen_key rsa "$DROPBEAR_RSAKEY"
> > +				;;
> > +			*)
> > +				echo "Key type '$keytype' not supported"
> > +				;;
> > +		esac
> > +	done
> > +}
> > 
> > +if ! gen_keys
> > +then
> > +	echo "Generating SSH keys failed!"
> > +	exit 1
> > +fi


-- 
Alexander Dahl           Thorsis Technologies GmbH   T +49 391 544 563 1000
Industrieautomation      Oststr. 18                  F +49 391 544 563 9099
T +49 391 544 563 3036   39114 Magdeburg             https://www.thorsis.com/

Sitz der Gesellschaft: Magdeburg
Amtsgericht Stendal HRB 110339
Geschäftsführer: Dipl.-Ing. Thorsten Szczepanski




_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v2 5/8] dropbear: Refactor rc-once and init to use KEYTYPES

[Michael Olbrich]

On Fri, Oct 22, 2021 at 11:05:37AM +0200, Alexander Dahl wrote:
> Hello Michael,
> 
> Am Freitag, 22. Oktober 2021, 10:44:05 CEST schrieb Michael Olbrich:
> > On Mon, Oct 18, 2021 at 04:35:51PM +0200, Alexander Dahl wrote:
> > > Previously DSS and RSA keys were always generated, regardless if
> > > dropbear was built with support for that host key or not, which somehow
> > > contradicts what commit message of 01ac7cc409b5 ("dropbear: Remove
> > > deprecated options") promised.
> > > 
> > > No other things changed here, just considering that KEYTYPES list for
> > > 'rsa' and 'dss' for now.
> > > 
> > > Signed-off-by: Alexander Dahl <ada@thorsis.com>
> > > ---
> > > 
> > >  projectroot/etc/init.d/dropbear    | 17 ++++++++++++++---
> > >  projectroot/etc/rc.once.d/dropbear | 26 +++++++++++++++++++++++---
> > >  2 files changed, 37 insertions(+), 6 deletions(-)
> > > 
> > > diff --git a/projectroot/etc/init.d/dropbear
> > > b/projectroot/etc/init.d/dropbear index 342565f93..88ef5aa71 100644
> > > --- a/projectroot/etc/init.d/dropbear
> > > +++ b/projectroot/etc/init.d/dropbear
> > > @@ -15,10 +15,21 @@ test -z "$DROPBEAR_BANNER" || \
> > > 
> > >    DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
> > >  
> > >  dropbear_start() {
> > > 
> > > -
> > > 
> > >      KEY_ARGS=""
> > > 
> > > -    test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY"
> > > -    test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
> > > +    for keytype in $DROPBEAR_KEYTYPES
> > > +    do
> > > +        case "$keytype" in
> > > +            dss)
> > > +                test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d
> > > $DROPBEAR_DSSKEY" +                ;;
> > 
> > Isn't dss disabled completely? So do we actually need this?
> 
> Depends where you look. :-/
> 
> The option was removed from ptxdist menu, yes. It is discouraged to use, yes.
> 
> For the patch I did not want to refactor and change behaviour at the same 
> time, so I would propose another patch for removing dss key support from the 
> init and rc-once scripts. Should that come before or after the other changes?

Before please.

> >From dropbear point of view I'm not 100% sure, but I think it's still possible 
> to built with dss support. ptxdist does not make an explicit decision on that 
> and relies on dropbear internal defaults. Maybe we should disable that 
> explicitly? dropbear build is different from standard ways, so it's a little 
> harder to pin down all the options.

I looked at the code. It's build by default. So please disable it
explicitly.

And i noticed, that we still have an option for 3DES. Can you remove that
one as well. It's actually disabled by default.

Regards,
Michael

> Greets
> Alex
> 
> > 
> > Michael
> > 
> > > +            rsa)
> > > +                test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r
> > > $DROPBEAR_RSAKEY" +                ;;
> > > +            *)
> > > +                echo "Key type '$keytype' not supported"
> > > +                ;;
> > > +        esac
> > > +    done
> > > 
> > >      echo -n "starting dropbear..."
> > > 
> > > diff --git a/projectroot/etc/rc.once.d/dropbear
> > > b/projectroot/etc/rc.once.d/dropbear index dd922d727..a9a1d475c 100644
> > > --- a/projectroot/etc/rc.once.d/dropbear
> > > +++ b/projectroot/etc/rc.once.d/dropbear
> > > @@ -5,10 +5,11 @@
> > > PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin> 
> > >  . /usr/lib/init/dropbear.sh
> > >  
> > >  gen_key() {
> > > 
> > > -
> > > 
> > >  	key_type=$1
> > >  	key_file=$2
> > > 
> > > +	[ -e "$key_file" ] && return
> > > +
> > > 
> > >  	rm -f $key_file > /dev/null 2>&1
> > >  	
> > >  	echo -n "generating $key_type key..."
> > > 
> > > @@ -22,6 +23,25 @@ gen_key() {
> > > 
> > >  	fi
> > >  
> > >  }
> > > 
> > > -[ -e "$DROPBEAR_RSAKEY" ] || gen_key rsa "$DROPBEAR_RSAKEY"
> > > -[ -e "$DROPBEAR_DSSKEY" ] || gen_key dss "$DROPBEAR_DSSKEY"
> > > +gen_keys() {
> > > +	for keytype in $DROPBEAR_KEYTYPES
> > > +	do
> > > +		case "$keytype" in
> > > +			dss)
> > > +				gen_key dss "$DROPBEAR_DSSKEY"
> > > +				;;
> > > +			rsa)
> > > +				gen_key rsa "$DROPBEAR_RSAKEY"
> > > +				;;
> > > +			*)
> > > +				echo "Key type '$keytype' not supported"
> > > +				;;
> > > +		esac
> > > +	done
> > > +}
> > > 
> > > +if ! gen_keys
> > > +then
> > > +	echo "Generating SSH keys failed!"
> > > +	exit 1
> > > +fi
> 
> 
> -- 
> Alexander Dahl           Thorsis Technologies GmbH   T +49 391 544 563 1000
> Industrieautomation      Oststr. 18                  F +49 391 544 563 9099
> T +49 391 544 563 3036   39114 Magdeburg             https://www.thorsis.com/
> 
> Sitz der Gesellschaft: Magdeburg
> Amtsgericht Stendal HRB 110339
> Geschäftsführer: Dipl.-Ing. Thorsten Szczepanski
> 
> 
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de