[ptxdist] [PATCH v3 0/8] rc-once: Improve re-generation of keys

[ptxdist] [PATCH v3 0/8] rc-once: Improve re-generation of keys

[Alexander Dahl]

Hei hei,

the third iteration of the patch series is in great parts identical to
v2 with feedback addressed, see patches itself for changes (notes
added), overall changelog below.

Greets
Alex

v2 -> v3
--------
- patch 1 rewritten, completely removes DSS support now
- patch 6 adapted according to feedback
- all other patches adapted to patch 1 or not changed

Alexander Dahl (8):
  dropbear: Remove host/public key DSS support
  dropbear: Move targetinstall of rc-once script
  dropbear: Move shell variables to new common shell lib
  dropbear: Move KEYTYPES to shell lib and set based on menu
  dropbear: Refactor rc-once and init to use KEYTYPES
  dropbear: Support ecdsa keys in rc-once and init
  dropbear: rc-once: Regenerate key if invalid key is found
  openssh: rc-once: Do not overwrite existing keys

 projectroot/etc/init.d/dropbear      | 28 ++++++++++++----------
 projectroot/etc/rc.once.d/dropbear   | 35 ++++++++++++++++++++--------
 projectroot/etc/rc.once.d/openssh    |  1 +
 projectroot/usr/lib/init/dropbear.sh |  5 ++++
 rules/dropbear.in                    |  4 ++--
 rules/dropbear.make                  | 23 ++++++++++++++----
 6 files changed, 67 insertions(+), 29 deletions(-)
 create mode 100644 projectroot/usr/lib/init/dropbear.sh


base-commit: e994b77922227912138ed1d7a59b4a03b10d1027
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v3 1/8] dropbear: Remove host/public key DSS support

[Alexander Dahl]

DSS option was removed already from ptxdist, it is not recommended for
new keys.  In dropbear however, it was still default enabled, this is
disabled through localoptions.h now.

Fixes: 01ac7cc409b5 ("dropbear: Remove deprecated options")
Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    v2 -> v3
    --------
    - complete rework
    - still adapts comments in menus
    - completely removes DSS key support

 projectroot/etc/init.d/dropbear    | 6 +-----
 projectroot/etc/rc.once.d/dropbear | 5 -----
 rules/dropbear.in                  | 4 ++--
 rules/dropbear.make                | 3 +++
 4 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
index 1edda1116..4d6530bdc 100644
--- a/projectroot/etc/init.d/dropbear
+++ b/projectroot/etc/init.d/dropbear
@@ -10,21 +10,17 @@ DROPBEAR_EXTRA_ARGS=
 # test ! -h /var/service/dropbear || exit 0
 
 DROPBEAR_RSAKEY_DEFAULT="@KEYDIR@/dropbear_rsa_host_key"
-DROPBEAR_DSSKEY_DEFAULT="@KEYDIR@/dropbear_dss_host_key"
 
 test -z "$DROPBEAR_BANNER" || \
   DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
 test -n "$DROPBEAR_RSAKEY" || \
   DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
-test -n "$DROPBEAR_DSSKEY" || \
-  DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
 test -n "$DROPBEAR_KEYTYPES" || \
-  DROPBEAR_KEYTYPES="rsa dss"
+  DROPBEAR_KEYTYPES="rsa"
 
 dropbear_start() {
 
     KEY_ARGS=""
-    test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY"
     test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
 
     echo -n "starting dropbear..."
diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
index a126b26db..451236097 100644
--- a/projectroot/etc/rc.once.d/dropbear
+++ b/projectroot/etc/rc.once.d/dropbear
@@ -3,12 +3,9 @@
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
 DROPBEAR_RSAKEY_DEFAULT="@KEYDIR@/dropbear_rsa_host_key"
-DROPBEAR_DSSKEY_DEFAULT="@KEYDIR@/dropbear_dss_host_key"
 
 test -n "$DROPBEAR_RSAKEY" || \
   DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
-test -n "$DROPBEAR_DSSKEY" || \
-  DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
 
 gen_key() {
 
@@ -29,5 +26,3 @@ gen_key() {
 }
 
 [ -e "$DROPBEAR_RSAKEY" ] || gen_key rsa "$DROPBEAR_RSAKEY"
-[ -e "$DROPBEAR_DSSKEY" ] || gen_key dss "$DROPBEAR_DSSKEY"
-
diff --git a/rules/dropbear.in b/rules/dropbear.in
index 507ee8e7f..8ae2d788b 100644
--- a/rules/dropbear.in
+++ b/rules/dropbear.in
@@ -260,7 +260,7 @@ config DROPBEAR_SHA512
 	  SHA-1. SHA-2 consists of a set of four hash functions with digests
 	  that are 224, 256, 384 or 512 bits.
 
-comment "Hostkey/public key algorithms, at least one required --- RSA is recommended, DSS is not recommended for new keys"
+comment "Hostkey/public key algorithms, at least one required ---"
 
 config DROPBEAR_RSA
 	bool
@@ -277,7 +277,7 @@ config DROPBEAR_ECDSA
 	prompt "ecdsa"
 	help
 	  ECDSA stands for Elliptic Curve Digital Signature Algorithm.
-	  ECDSA is significantly faster than RSA or DSS.
+	  ECDSA is significantly faster than RSA.
 
 comment "Key exchange algorithm ---"
 
diff --git a/rules/dropbear.make b/rules/dropbear.make
index 536c9176a..c4577fed2 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -198,6 +198,9 @@ else
 endif
 
 # host key / public key
+	@echo "ptxdist: disabling dss"
+	@echo "#define DROPBEAR_DSS 0" >> $(DROPBEAR_LOCALOPTIONS)
+
 ifdef PTXCONF_DROPBEAR_RSA
 	@echo "ptxdist: enabling rsa"
 	@echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS)
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v3 2/8] dropbear: Move targetinstall of rc-once script

[Alexander Dahl]

Key generation is still needed if someone decides not to install the
init script or uses a different init system.

Fixes: 0e0f5d31e0e0 ("[dropbear] use rc-once to create server keys")
Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 rules/dropbear.make | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/dropbear.make b/rules/dropbear.make
index c4577fed2..501b94764 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -281,6 +281,10 @@ endif
 ifdef PTXCONF_DROPBEAR_DROPBEAR_KEY
 	@$(call install_copy, dropbear, 0, 0, 0755, -, \
 		/usr/bin/dropbearkey)
+
+	@$(call install_alternative, dropbear, 0, 0, 0755, /etc/rc.once.d/dropbear, n)
+	@$(call install_replace, dropbear, /etc/rc.once.d/dropbear, \
+		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
 endif
 
 ifdef PTXCONF_DROPBEAR_DROPBEAR_CONVERT
@@ -303,9 +307,6 @@ ifdef PTXCONF_DROPBEAR_STARTSCRIPT
 	@$(call install_alternative, dropbear, 0, 0, 0755, /etc/init.d/dropbear, n)
 	@$(call install_replace, dropbear, /etc/init.d/dropbear, \
 		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
-	@$(call install_alternative, dropbear, 0, 0, 0755, /etc/rc.once.d/dropbear, n)
-	@$(call install_replace, dropbear, /etc/rc.once.d/dropbear, \
-		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
 
 ifneq ($(call remove_quotes,$(PTXCONF_DROPBEAR_BBINIT_LINK)),)
 	@$(call install_link, dropbear, \
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v3 3/8] dropbear: Move shell variables to new common shell lib

[Alexander Dahl]

init script and rc-once script use some common variables and
targetinstall replace happens twice for each, so to make things less
complex put those common variables in a common place.

While at it, remove that DROPBEAR_xxxKEY_DEFAULT indirection, which
probably originates in the init script from Debian, which seems was the
base for developing this script at least 15 years ago.

The lib will be extended with more variables later.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    v2 -> v3
    --------
    - adapted to DSS key support removal

 projectroot/etc/init.d/dropbear      | 6 ++----
 projectroot/etc/rc.once.d/dropbear   | 5 +----
 projectroot/usr/lib/init/dropbear.sh | 3 +++
 rules/dropbear.make                  | 8 ++++----
 4 files changed, 10 insertions(+), 12 deletions(-)
 create mode 100644 projectroot/usr/lib/init/dropbear.sh

diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
index 4d6530bdc..b394eab15 100644
--- a/projectroot/etc/init.d/dropbear
+++ b/projectroot/etc/init.d/dropbear
@@ -7,14 +7,12 @@ NAME=dropbear
 DROPBEAR_PORT=22
 DROPBEAR_EXTRA_ARGS=
 
-# test ! -h /var/service/dropbear || exit 0
+. /usr/lib/init/dropbear.sh
 
-DROPBEAR_RSAKEY_DEFAULT="@KEYDIR@/dropbear_rsa_host_key"
+# test ! -h /var/service/dropbear || exit 0
 
 test -z "$DROPBEAR_BANNER" || \
   DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
-test -n "$DROPBEAR_RSAKEY" || \
-  DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
 test -n "$DROPBEAR_KEYTYPES" || \
   DROPBEAR_KEYTYPES="rsa"
 
diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
index 451236097..b70f5f22e 100644
--- a/projectroot/etc/rc.once.d/dropbear
+++ b/projectroot/etc/rc.once.d/dropbear
@@ -2,10 +2,7 @@
 
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
-DROPBEAR_RSAKEY_DEFAULT="@KEYDIR@/dropbear_rsa_host_key"
-
-test -n "$DROPBEAR_RSAKEY" || \
-  DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
+. /usr/lib/init/dropbear.sh
 
 gen_key() {
 
diff --git a/projectroot/usr/lib/init/dropbear.sh b/projectroot/usr/lib/init/dropbear.sh
new file mode 100644
index 000000000..7b94429b4
--- /dev/null
+++ b/projectroot/usr/lib/init/dropbear.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+DROPBEAR_RSAKEY='@KEYDIR@/dropbear_rsa_host_key'
diff --git a/rules/dropbear.make b/rules/dropbear.make
index 501b94764..bdf855fe3 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -273,6 +273,10 @@ $(STATEDIR)/dropbear.targetinstall:
 	@$(call install_fixup, dropbear,AUTHOR,"Robert Schwebel <r.schwebel@pengutronix.de>")
 	@$(call install_fixup, dropbear,DESCRIPTION,missing)
 
+	@$(call install_alternative, dropbear, 0, 0, 0644, /usr/lib/init/dropbear.sh)
+	@$(call install_replace, dropbear, /usr/lib/init/dropbear.sh, \
+		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
+
 ifdef PTXCONF_DROPBEAR_DROPBEAR
 	@$(call install_copy, dropbear, 0, 0, 0755, -, \
 		/usr/sbin/dropbear)
@@ -283,8 +287,6 @@ ifdef PTXCONF_DROPBEAR_DROPBEAR_KEY
 		/usr/bin/dropbearkey)
 
 	@$(call install_alternative, dropbear, 0, 0, 0755, /etc/rc.once.d/dropbear, n)
-	@$(call install_replace, dropbear, /etc/rc.once.d/dropbear, \
-		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
 endif
 
 ifdef PTXCONF_DROPBEAR_DROPBEAR_CONVERT
@@ -305,8 +307,6 @@ endif
 
 ifdef PTXCONF_DROPBEAR_STARTSCRIPT
 	@$(call install_alternative, dropbear, 0, 0, 0755, /etc/init.d/dropbear, n)
-	@$(call install_replace, dropbear, /etc/init.d/dropbear, \
-		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
 
 ifneq ($(call remove_quotes,$(PTXCONF_DROPBEAR_BBINIT_LINK)),)
 	@$(call install_link, dropbear, \
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v3 4/8] dropbear: Move KEYTYPES to shell lib and set based on menu

[Alexander Dahl]

The variable is currently not used, but it will be useful later for key
generation and daemon startup based on actually selected host key types.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    v2 -> v3
    --------
    - adapted to DSS key support removal

 projectroot/etc/init.d/dropbear      | 2 --
 projectroot/usr/lib/init/dropbear.sh | 1 +
 rules/dropbear.make                  | 9 +++++++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
index b394eab15..15671c9d8 100644
--- a/projectroot/etc/init.d/dropbear
+++ b/projectroot/etc/init.d/dropbear
@@ -13,8 +13,6 @@ DROPBEAR_EXTRA_ARGS=
 
 test -z "$DROPBEAR_BANNER" || \
   DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
-test -n "$DROPBEAR_KEYTYPES" || \
-  DROPBEAR_KEYTYPES="rsa"
 
 dropbear_start() {
 
diff --git a/projectroot/usr/lib/init/dropbear.sh b/projectroot/usr/lib/init/dropbear.sh
index 7b94429b4..f4a083b8c 100644
--- a/projectroot/usr/lib/init/dropbear.sh
+++ b/projectroot/usr/lib/init/dropbear.sh
@@ -1,3 +1,4 @@
 #!/bin/sh
 
 DROPBEAR_RSAKEY='@KEYDIR@/dropbear_rsa_host_key'
+DROPBEAR_KEYTYPES='@KEYTYPES@'
diff --git a/rules/dropbear.make b/rules/dropbear.make
index bdf855fe3..102825ed6 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -264,6 +264,13 @@ DROPBEAR_INSTALL_OPT	:= install inst_scp
 # Target-Install
 # ----------------------------------------------------------------------------
 
+ifdef PTXCONF_DROPBEAR_RSA
+DROPBEAR_KEY_TYPES	+= rsa
+endif
+ifdef PTXCONF_DROPBEAR_ECDSA
+DROPBEAR_KEY_TYPES	+= ecdsa
+endif
+
 $(STATEDIR)/dropbear.targetinstall:
 	@$(call targetinfo)
 
@@ -276,6 +283,8 @@ $(STATEDIR)/dropbear.targetinstall:
 	@$(call install_alternative, dropbear, 0, 0, 0644, /usr/lib/init/dropbear.sh)
 	@$(call install_replace, dropbear, /usr/lib/init/dropbear.sh, \
 		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
+	@$(call install_replace, dropbear, /usr/lib/init/dropbear.sh, \
+		@KEYTYPES@, '$(DROPBEAR_KEY_TYPES)')
 
 ifdef PTXCONF_DROPBEAR_DROPBEAR
 	@$(call install_copy, dropbear, 0, 0, 0755, -, \
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v3 5/8] dropbear: Refactor rc-once and init to use KEYTYPES

[Alexander Dahl]

Previously DSS and RSA keys were always generated, regardless if
dropbear was built with support for that host key or not, which somehow
contradicts what commit message of 01ac7cc409b5 ("dropbear: Remove
deprecated options") promised.

No other things changed here, just considering that KEYTYPES list for
'rsa' for now.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    v2 -> v3
    --------
    - adapted to DSS key support removal
    - put variable containing path in quotes

 projectroot/etc/init.d/dropbear    | 13 +++++++++++--
 projectroot/etc/rc.once.d/dropbear | 23 +++++++++++++++++++++--
 2 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
index 15671c9d8..4dda9aaf7 100644
--- a/projectroot/etc/init.d/dropbear
+++ b/projectroot/etc/init.d/dropbear
@@ -15,9 +15,18 @@ test -z "$DROPBEAR_BANNER" || \
   DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
 
 dropbear_start() {
-
     KEY_ARGS=""
-    test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
+    for keytype in $DROPBEAR_KEYTYPES
+    do
+        case "$keytype" in
+            rsa)
+                test -f "$DROPBEAR_RSAKEY" && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
+                ;;
+            *)
+                echo "Key type '$keytype' not supported"
+                ;;
+        esac
+    done
 
     echo -n "starting dropbear..."
 
diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
index b70f5f22e..0735fed38 100644
--- a/projectroot/etc/rc.once.d/dropbear
+++ b/projectroot/etc/rc.once.d/dropbear
@@ -5,10 +5,11 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 . /usr/lib/init/dropbear.sh
 
 gen_key() {
-
 	key_type=$1
 	key_file=$2
 
+	[ -e "$key_file" ] && return
+
 	rm -f $key_file > /dev/null 2>&1
 
 	echo -n "generating $key_type key..."
@@ -22,4 +23,22 @@ gen_key() {
 	fi
 }
 
-[ -e "$DROPBEAR_RSAKEY" ] || gen_key rsa "$DROPBEAR_RSAKEY"
+gen_keys() {
+	for keytype in $DROPBEAR_KEYTYPES
+	do
+		case "$keytype" in
+			rsa)
+				gen_key rsa "$DROPBEAR_RSAKEY"
+				;;
+			*)
+				echo "Key type '$keytype' not supported"
+				;;
+		esac
+	done
+}
+
+if ! gen_keys
+then
+	echo "Generating SSH keys failed!"
+	exit 1
+fi
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v3 6/8] dropbear: Support ecdsa keys in rc-once and init

[Alexander Dahl]

With 54afea33423c ("dropbear: Added Elliptic Curve Cryptography
options.") an option was added to built with ecdsa host key support, but
scripts where not adapted back then.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    v2 -> v3
    --------
    - adapted to DSS key support removal
    - stick to one syntax (M. Olbrich)

 projectroot/etc/init.d/dropbear      | 3 +++
 projectroot/etc/rc.once.d/dropbear   | 3 +++
 projectroot/usr/lib/init/dropbear.sh | 1 +
 3 files changed, 7 insertions(+)

diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
index 4dda9aaf7..2039340b2 100644
--- a/projectroot/etc/init.d/dropbear
+++ b/projectroot/etc/init.d/dropbear
@@ -22,6 +22,9 @@ dropbear_start() {
             rsa)
                 test -f "$DROPBEAR_RSAKEY" && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
                 ;;
+            ecdsa)
+                test -f "$DROPBEAR_ECDSAKEY" && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_ECDSAKEY"
+                ;;
             *)
                 echo "Key type '$keytype' not supported"
                 ;;
diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
index 0735fed38..b1c40fdbb 100644
--- a/projectroot/etc/rc.once.d/dropbear
+++ b/projectroot/etc/rc.once.d/dropbear
@@ -30,6 +30,9 @@ gen_keys() {
 			rsa)
 				gen_key rsa "$DROPBEAR_RSAKEY"
 				;;
+			ecdsa)
+				gen_key ecdsa "$DROPBEAR_ECDSAKEY"
+				;;
 			*)
 				echo "Key type '$keytype' not supported"
 				;;
diff --git a/projectroot/usr/lib/init/dropbear.sh b/projectroot/usr/lib/init/dropbear.sh
index f4a083b8c..12fd6e5ce 100644
--- a/projectroot/usr/lib/init/dropbear.sh
+++ b/projectroot/usr/lib/init/dropbear.sh
@@ -1,4 +1,5 @@
 #!/bin/sh
 
 DROPBEAR_RSAKEY='@KEYDIR@/dropbear_rsa_host_key'
+DROPBEAR_ECDSAKEY='@KEYDIR@/dropbear_ecdsa_host_key'
 DROPBEAR_KEYTYPES='@KEYTYPES@'
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v3 7/8] dropbear: rc-once: Regenerate key if invalid key is found

[Alexander Dahl]

Previously just existence of a key file was checked, which allowed
empty key files or invalid key files to persist. That would have
prevented dropbear server daemon startup.

Note: this does not always regenerate keys, only if rc-once is triggered
and run again for whatever reason.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 projectroot/etc/rc.once.d/dropbear | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
index b1c40fdbb..8a0440624 100644
--- a/projectroot/etc/rc.once.d/dropbear
+++ b/projectroot/etc/rc.once.d/dropbear
@@ -8,7 +8,8 @@ gen_key() {
 	key_type=$1
 	key_file=$2
 
-	[ -e "$key_file" ] && return
+	# do not overwrite valid key files
+	[ -s "$key_file" ] && dropbearkey -y -f "$key_file" > /dev/null 2>&1 && return
 
 	rm -f $key_file > /dev/null 2>&1
 
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v3 8/8] openssh: rc-once: Do not overwrite existing keys

[Alexander Dahl]

When storing your keys not in rootfs but on a separate data partition
(using symbolic links or overlay fs), keys are overwritten on each
firmware upgrade which lets rc-once run again (which happens when using
opkg upgrade/update or RAUC in an A/B scheme for example).

Changing keys are at best annoying, but may be interpreted as an attack
as well.

Note: if an empty or invalid key is found, the key is still regenerated.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    v1 (RFC) --> v2
    ---------------
    - Improve check and look at size and if it's a valid key (Michael Olbrich)
    - Reword commit message (swap prefix, adapt reasoning)

 projectroot/etc/rc.once.d/openssh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh
index 545586f07..717d6457e 100644
--- a/projectroot/etc/rc.once.d/openssh
+++ b/projectroot/etc/rc.once.d/openssh
@@ -27,6 +27,7 @@ create_keys() {
 	hostkeys="$(get_hostkeys)" || return
 
 	for keyfile in $hostkeys; do
+		[ -s "$keyfile" ] && ssh-keygen -l -f "${keyfile}.pub" > /dev/null && continue
 		create_key "$keyfile" || return
 	done
 }
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] dropbear: Remove host/public key DSS support

[Michael Olbrich]

Thanks, applied as 3c822e5aa8e5aed64273df8823cd6d5b56954d03.

Michael

[sent from post-receive hook]

On Fri, 26 Nov 2021 15:34:57 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> DSS option was removed already from ptxdist, it is not recommended for
> new keys.  In dropbear however, it was still default enabled, this is
> disabled through localoptions.h now.
> 
> Fixes: 01ac7cc409b5 ("dropbear: Remove deprecated options")
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20211105154734.19983-2-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
> index 1edda1116a93..4d6530bdcc46 100644
> --- a/projectroot/etc/init.d/dropbear
> +++ b/projectroot/etc/init.d/dropbear
> @@ -10,21 +10,17 @@ DROPBEAR_EXTRA_ARGS=
>  # test ! -h /var/service/dropbear || exit 0
>  
>  DROPBEAR_RSAKEY_DEFAULT="@KEYDIR@/dropbear_rsa_host_key"
> -DROPBEAR_DSSKEY_DEFAULT="@KEYDIR@/dropbear_dss_host_key"
>  
>  test -z "$DROPBEAR_BANNER" || \
>    DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
>  test -n "$DROPBEAR_RSAKEY" || \
>    DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
> -test -n "$DROPBEAR_DSSKEY" || \
> -  DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
>  test -n "$DROPBEAR_KEYTYPES" || \
> -  DROPBEAR_KEYTYPES="rsa dss"
> +  DROPBEAR_KEYTYPES="rsa"
>  
>  dropbear_start() {
>  
>      KEY_ARGS=""
> -    test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY"
>      test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
>  
>      echo -n "starting dropbear..."
> diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
> index a126b26db76e..451236097832 100644
> --- a/projectroot/etc/rc.once.d/dropbear
> +++ b/projectroot/etc/rc.once.d/dropbear
> @@ -3,12 +3,9 @@
>  PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
>  
>  DROPBEAR_RSAKEY_DEFAULT="@KEYDIR@/dropbear_rsa_host_key"
> -DROPBEAR_DSSKEY_DEFAULT="@KEYDIR@/dropbear_dss_host_key"
>  
>  test -n "$DROPBEAR_RSAKEY" || \
>    DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
> -test -n "$DROPBEAR_DSSKEY" || \
> -  DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
>  
>  gen_key() {
>  
> @@ -29,5 +26,3 @@ gen_key() {
>  }
>  
>  [ -e "$DROPBEAR_RSAKEY" ] || gen_key rsa "$DROPBEAR_RSAKEY"
> -[ -e "$DROPBEAR_DSSKEY" ] || gen_key dss "$DROPBEAR_DSSKEY"
> -
> diff --git a/rules/dropbear.in b/rules/dropbear.in
> index 507ee8e7f28e..8ae2d788bd27 100644
> --- a/rules/dropbear.in
> +++ b/rules/dropbear.in
> @@ -260,7 +260,7 @@ config DROPBEAR_SHA512
>  	  SHA-1. SHA-2 consists of a set of four hash functions with digests
>  	  that are 224, 256, 384 or 512 bits.
>  
> -comment "Hostkey/public key algorithms, at least one required --- RSA is recommended, DSS is not recommended for new keys"
> +comment "Hostkey/public key algorithms, at least one required ---"
>  
>  config DROPBEAR_RSA
>  	bool
> @@ -277,7 +277,7 @@ config DROPBEAR_ECDSA
>  	prompt "ecdsa"
>  	help
>  	  ECDSA stands for Elliptic Curve Digital Signature Algorithm.
> -	  ECDSA is significantly faster than RSA or DSS.
> +	  ECDSA is significantly faster than RSA.
>  
>  comment "Key exchange algorithm ---"
>  
> diff --git a/rules/dropbear.make b/rules/dropbear.make
> index 536c9176a5d7..c4577fed2685 100644
> --- a/rules/dropbear.make
> +++ b/rules/dropbear.make
> @@ -198,6 +198,9 @@ else
>  endif
>  
>  # host key / public key
> +	@echo "ptxdist: disabling dss"
> +	@echo "#define DROPBEAR_DSS 0" >> $(DROPBEAR_LOCALOPTIONS)
> +
>  ifdef PTXCONF_DROPBEAR_RSA
>  	@echo "ptxdist: enabling rsa"
>  	@echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS)

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] dropbear: Move targetinstall of rc-once script

[Michael Olbrich]

Thanks, applied as 5f4f0cfc400120e7e59fa350781f136a1743e898.

Michael

[sent from post-receive hook]

On Fri, 26 Nov 2021 15:34:59 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> Key generation is still needed if someone decides not to install the
> init script or uses a different init system.
> 
> Fixes: 0e0f5d31e0e0 ("[dropbear] use rc-once to create server keys")
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20211105154734.19983-3-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/dropbear.make b/rules/dropbear.make
> index c4577fed2685..501b94764899 100644
> --- a/rules/dropbear.make
> +++ b/rules/dropbear.make
> @@ -281,6 +281,10 @@ endif
>  ifdef PTXCONF_DROPBEAR_DROPBEAR_KEY
>  	@$(call install_copy, dropbear, 0, 0, 0755, -, \
>  		/usr/bin/dropbearkey)
> +
> +	@$(call install_alternative, dropbear, 0, 0, 0755, /etc/rc.once.d/dropbear, n)
> +	@$(call install_replace, dropbear, /etc/rc.once.d/dropbear, \
> +		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_DROPBEAR_CONVERT
> @@ -303,9 +307,6 @@ ifdef PTXCONF_DROPBEAR_STARTSCRIPT
>  	@$(call install_alternative, dropbear, 0, 0, 0755, /etc/init.d/dropbear, n)
>  	@$(call install_replace, dropbear, /etc/init.d/dropbear, \
>  		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
> -	@$(call install_alternative, dropbear, 0, 0, 0755, /etc/rc.once.d/dropbear, n)
> -	@$(call install_replace, dropbear, /etc/rc.once.d/dropbear, \
> -		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
>  
>  ifneq ($(call remove_quotes,$(PTXCONF_DROPBEAR_BBINIT_LINK)),)
>  	@$(call install_link, dropbear, \

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] dropbear: Move shell variables to new common shell lib

[Michael Olbrich]

Thanks, applied as 29b74e865d10c82291e72fbf0dca1701bc5177bc.

Michael

[sent from post-receive hook]

On Fri, 26 Nov 2021 15:35:00 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> init script and rc-once script use some common variables and
> targetinstall replace happens twice for each, so to make things less
> complex put those common variables in a common place.
> 
> While at it, remove that DROPBEAR_xxxKEY_DEFAULT indirection, which
> probably originates in the init script from Debian, which seems was the
> base for developing this script at least 15 years ago.
> 
> The lib will be extended with more variables later.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20211105154734.19983-4-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
> index 4d6530bdcc46..b394eab1548f 100644
> --- a/projectroot/etc/init.d/dropbear
> +++ b/projectroot/etc/init.d/dropbear
> @@ -7,14 +7,12 @@ NAME=dropbear
>  DROPBEAR_PORT=22
>  DROPBEAR_EXTRA_ARGS=
>  
> -# test ! -h /var/service/dropbear || exit 0
> +. /usr/lib/init/dropbear.sh
>  
> -DROPBEAR_RSAKEY_DEFAULT="@KEYDIR@/dropbear_rsa_host_key"
> +# test ! -h /var/service/dropbear || exit 0
>  
>  test -z "$DROPBEAR_BANNER" || \
>    DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
> -test -n "$DROPBEAR_RSAKEY" || \
> -  DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
>  test -n "$DROPBEAR_KEYTYPES" || \
>    DROPBEAR_KEYTYPES="rsa"
>  
> diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
> index 451236097832..b70f5f22e997 100644
> --- a/projectroot/etc/rc.once.d/dropbear
> +++ b/projectroot/etc/rc.once.d/dropbear
> @@ -2,10 +2,7 @@
>  
>  PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
>  
> -DROPBEAR_RSAKEY_DEFAULT="@KEYDIR@/dropbear_rsa_host_key"
> -
> -test -n "$DROPBEAR_RSAKEY" || \
> -  DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
> +. /usr/lib/init/dropbear.sh
>  
>  gen_key() {
>  
> diff --git a/projectroot/usr/lib/init/dropbear.sh b/projectroot/usr/lib/init/dropbear.sh
> new file mode 100644
> index 000000000000..7b94429b4781
> --- /dev/null
> +++ b/projectroot/usr/lib/init/dropbear.sh
> @@ -0,0 +1,3 @@
> +#!/bin/sh
> +
> +DROPBEAR_RSAKEY='@KEYDIR@/dropbear_rsa_host_key'
> diff --git a/rules/dropbear.make b/rules/dropbear.make
> index 501b94764899..bdf855fe388d 100644
> --- a/rules/dropbear.make
> +++ b/rules/dropbear.make
> @@ -273,6 +273,10 @@ $(STATEDIR)/dropbear.targetinstall:
>  	@$(call install_fixup, dropbear,AUTHOR,"Robert Schwebel <r.schwebel@pengutronix.de>")
>  	@$(call install_fixup, dropbear,DESCRIPTION,missing)
>  
> +	@$(call install_alternative, dropbear, 0, 0, 0644, /usr/lib/init/dropbear.sh)
> +	@$(call install_replace, dropbear, /usr/lib/init/dropbear.sh, \
> +		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
> +
>  ifdef PTXCONF_DROPBEAR_DROPBEAR
>  	@$(call install_copy, dropbear, 0, 0, 0755, -, \
>  		/usr/sbin/dropbear)
> @@ -283,8 +287,6 @@ ifdef PTXCONF_DROPBEAR_DROPBEAR_KEY
>  		/usr/bin/dropbearkey)
>  
>  	@$(call install_alternative, dropbear, 0, 0, 0755, /etc/rc.once.d/dropbear, n)
> -	@$(call install_replace, dropbear, /etc/rc.once.d/dropbear, \
> -		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_DROPBEAR_CONVERT
> @@ -305,8 +307,6 @@ endif
>  
>  ifdef PTXCONF_DROPBEAR_STARTSCRIPT
>  	@$(call install_alternative, dropbear, 0, 0, 0755, /etc/init.d/dropbear, n)
> -	@$(call install_replace, dropbear, /etc/init.d/dropbear, \
> -		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
>  
>  ifneq ($(call remove_quotes,$(PTXCONF_DROPBEAR_BBINIT_LINK)),)
>  	@$(call install_link, dropbear, \

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] dropbear: Move KEYTYPES to shell lib and set based on menu

[Michael Olbrich]

Thanks, applied as 377f4c01cc541fcef039332ec1abf028b2b8bbea.

Michael

[sent from post-receive hook]

On Fri, 26 Nov 2021 15:35:01 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> The variable is currently not used, but it will be useful later for key
> generation and daemon startup based on actually selected host key types.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20211105154734.19983-5-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
> index b394eab1548f..15671c9d8a22 100644
> --- a/projectroot/etc/init.d/dropbear
> +++ b/projectroot/etc/init.d/dropbear
> @@ -13,8 +13,6 @@ DROPBEAR_EXTRA_ARGS=
>  
>  test -z "$DROPBEAR_BANNER" || \
>    DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
> -test -n "$DROPBEAR_KEYTYPES" || \
> -  DROPBEAR_KEYTYPES="rsa"
>  
>  dropbear_start() {
>  
> diff --git a/projectroot/usr/lib/init/dropbear.sh b/projectroot/usr/lib/init/dropbear.sh
> index 7b94429b4781..f4a083b8cc01 100644
> --- a/projectroot/usr/lib/init/dropbear.sh
> +++ b/projectroot/usr/lib/init/dropbear.sh
> @@ -1,3 +1,4 @@
>  #!/bin/sh
>  
>  DROPBEAR_RSAKEY='@KEYDIR@/dropbear_rsa_host_key'
> +DROPBEAR_KEYTYPES='@KEYTYPES@'
> diff --git a/rules/dropbear.make b/rules/dropbear.make
> index bdf855fe388d..102825ed6ab4 100644
> --- a/rules/dropbear.make
> +++ b/rules/dropbear.make
> @@ -264,6 +264,13 @@ DROPBEAR_INSTALL_OPT	:= install inst_scp
>  # Target-Install
>  # ----------------------------------------------------------------------------
>  
> +ifdef PTXCONF_DROPBEAR_RSA
> +DROPBEAR_KEY_TYPES	+= rsa
> +endif
> +ifdef PTXCONF_DROPBEAR_ECDSA
> +DROPBEAR_KEY_TYPES	+= ecdsa
> +endif
> +
>  $(STATEDIR)/dropbear.targetinstall:
>  	@$(call targetinfo)
>  
> @@ -276,6 +283,8 @@ $(STATEDIR)/dropbear.targetinstall:
>  	@$(call install_alternative, dropbear, 0, 0, 0644, /usr/lib/init/dropbear.sh)
>  	@$(call install_replace, dropbear, /usr/lib/init/dropbear.sh, \
>  		@KEYDIR@, $(PTXCONF_DROPBEAR_KEY_DIR))
> +	@$(call install_replace, dropbear, /usr/lib/init/dropbear.sh, \
> +		@KEYTYPES@, '$(DROPBEAR_KEY_TYPES)')
>  
>  ifdef PTXCONF_DROPBEAR_DROPBEAR
>  	@$(call install_copy, dropbear, 0, 0, 0755, -, \

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] dropbear: Refactor rc-once and init to use KEYTYPES

[Michael Olbrich]

Thanks, applied as cf0424f8ba234645b8706edc2e9105eb7f421b2e.

Michael

[sent from post-receive hook]

On Fri, 26 Nov 2021 15:35:02 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> Previously DSS and RSA keys were always generated, regardless if
> dropbear was built with support for that host key or not, which somehow
> contradicts what commit message of 01ac7cc409b5 ("dropbear: Remove
> deprecated options") promised.
> 
> No other things changed here, just considering that KEYTYPES list for
> 'rsa' for now.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20211105154734.19983-6-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
> index 15671c9d8a22..4dda9aaf7d64 100644
> --- a/projectroot/etc/init.d/dropbear
> +++ b/projectroot/etc/init.d/dropbear
> @@ -15,9 +15,18 @@ test -z "$DROPBEAR_BANNER" || \
>    DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
>  
>  dropbear_start() {
> -
>      KEY_ARGS=""
> -    test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
> +    for keytype in $DROPBEAR_KEYTYPES
> +    do
> +        case "$keytype" in
> +            rsa)
> +                test -f "$DROPBEAR_RSAKEY" && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
> +                ;;
> +            *)
> +                echo "Key type '$keytype' not supported"
> +                ;;
> +        esac
> +    done
>  
>      echo -n "starting dropbear..."
>  
> diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
> index b70f5f22e997..0735fed38818 100644
> --- a/projectroot/etc/rc.once.d/dropbear
> +++ b/projectroot/etc/rc.once.d/dropbear
> @@ -5,10 +5,11 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
>  . /usr/lib/init/dropbear.sh
>  
>  gen_key() {
> -
>  	key_type=$1
>  	key_file=$2
>  
> +	[ -e "$key_file" ] && return
> +
>  	rm -f $key_file > /dev/null 2>&1
>  
>  	echo -n "generating $key_type key..."
> @@ -22,4 +23,22 @@ gen_key() {
>  	fi
>  }
>  
> -[ -e "$DROPBEAR_RSAKEY" ] || gen_key rsa "$DROPBEAR_RSAKEY"
> +gen_keys() {
> +	for keytype in $DROPBEAR_KEYTYPES
> +	do
> +		case "$keytype" in
> +			rsa)
> +				gen_key rsa "$DROPBEAR_RSAKEY"
> +				;;
> +			*)
> +				echo "Key type '$keytype' not supported"
> +				;;
> +		esac
> +	done
> +}
> +
> +if ! gen_keys
> +then
> +	echo "Generating SSH keys failed!"
> +	exit 1
> +fi

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] dropbear: Support ecdsa keys in rc-once and init

[Michael Olbrich]

Thanks, applied as ea8fb9e68ff16f7537f89217201fbea63ef347c9.

Michael

[sent from post-receive hook]

On Fri, 26 Nov 2021 15:35:04 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> With 54afea33423c ("dropbear: Added Elliptic Curve Cryptography
> options.") an option was added to built with ecdsa host key support, but
> scripts where not adapted back then.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20211105154734.19983-7-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
> index 4dda9aaf7d64..2039340b2fbd 100644
> --- a/projectroot/etc/init.d/dropbear
> +++ b/projectroot/etc/init.d/dropbear
> @@ -22,6 +22,9 @@ dropbear_start() {
>              rsa)
>                  test -f "$DROPBEAR_RSAKEY" && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
>                  ;;
> +            ecdsa)
> +                test -f "$DROPBEAR_ECDSAKEY" && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_ECDSAKEY"
> +                ;;
>              *)
>                  echo "Key type '$keytype' not supported"
>                  ;;
> diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
> index 0735fed38818..b1c40fdbbe5c 100644
> --- a/projectroot/etc/rc.once.d/dropbear
> +++ b/projectroot/etc/rc.once.d/dropbear
> @@ -30,6 +30,9 @@ gen_keys() {
>  			rsa)
>  				gen_key rsa "$DROPBEAR_RSAKEY"
>  				;;
> +			ecdsa)
> +				gen_key ecdsa "$DROPBEAR_ECDSAKEY"
> +				;;
>  			*)
>  				echo "Key type '$keytype' not supported"
>  				;;
> diff --git a/projectroot/usr/lib/init/dropbear.sh b/projectroot/usr/lib/init/dropbear.sh
> index f4a083b8cc01..12fd6e5ce3f6 100644
> --- a/projectroot/usr/lib/init/dropbear.sh
> +++ b/projectroot/usr/lib/init/dropbear.sh
> @@ -1,4 +1,5 @@
>  #!/bin/sh
>  
>  DROPBEAR_RSAKEY='@KEYDIR@/dropbear_rsa_host_key'
> +DROPBEAR_ECDSAKEY='@KEYDIR@/dropbear_ecdsa_host_key'
>  DROPBEAR_KEYTYPES='@KEYTYPES@'

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] dropbear: rc-once: Regenerate key if invalid key is found

[Michael Olbrich]

Thanks, applied as 2e864fb02dbb3733f2ef3808b86364441da364a2.

Michael

[sent from post-receive hook]

On Fri, 26 Nov 2021 15:35:05 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> Previously just existence of a key file was checked, which allowed
> empty key files or invalid key files to persist. That would have
> prevented dropbear server daemon startup.
> 
> Note: this does not always regenerate keys, only if rc-once is triggered
> and run again for whatever reason.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20211105154734.19983-8-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
> index b1c40fdbbe5c..8a04406242e4 100644
> --- a/projectroot/etc/rc.once.d/dropbear
> +++ b/projectroot/etc/rc.once.d/dropbear
> @@ -8,7 +8,8 @@ gen_key() {
>  	key_type=$1
>  	key_file=$2
>  
> -	[ -e "$key_file" ] && return
> +	# do not overwrite valid key files
> +	[ -s "$key_file" ] && dropbearkey -y -f "$key_file" > /dev/null 2>&1 && return
>  
>  	rm -f $key_file > /dev/null 2>&1
>  

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] openssh: rc-once: Do not overwrite existing keys

[Michael Olbrich]

Thanks, applied as ac33521e077e313ad9c67a4ca2c8bf44de34cbc2.

Michael

[sent from post-receive hook]

On Fri, 26 Nov 2021 15:35:06 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> When storing your keys not in rootfs but on a separate data partition
> (using symbolic links or overlay fs), keys are overwritten on each
> firmware upgrade which lets rc-once run again (which happens when using
> opkg upgrade/update or RAUC in an A/B scheme for example).
> 
> Changing keys are at best annoying, but may be interpreted as an attack
> as well.
> 
> Note: if an empty or invalid key is found, the key is still regenerated.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20211105154734.19983-9-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh
> index 545586f07629..717d6457eeb3 100644
> --- a/projectroot/etc/rc.once.d/openssh
> +++ b/projectroot/etc/rc.once.d/openssh
> @@ -27,6 +27,7 @@ create_keys() {
>  	hostkeys="$(get_hostkeys)" || return
>  
>  	for keyfile in $hostkeys; do
> +		[ -s "$keyfile" ] && ssh-keygen -l -f "${keyfile}.pub" > /dev/null && continue
>  		create_key "$keyfile" || return
>  	done
>  }

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de