From: Alexander Dahl <ada@thorsis.com>
To: Michael Olbrich <m.olbrich@pengutronix.de>
Cc: Denis Osterland-Heim <denis.osterland@diehl.com>,
ptxdist@pengutronix.de, Bruno Thomsen <bruno.thomsen@gmail.com>,
Alexander Stein <alexander.stein@systec-electronic.com>
Subject: Re: [ptxdist] [PATCH v2 5/8] dropbear: Refactor rc-once and init to use KEYTYPES
Date: Fri, 22 Oct 2021 11:05:37 +0200 [thread overview]
Message-ID: <3971939.r3f0tfIcqM@ada> (raw)
In-Reply-To: <YXJ51Z939KesvaDU@pengutronix.de>
Hello Michael,
Am Freitag, 22. Oktober 2021, 10:44:05 CEST schrieb Michael Olbrich:
> On Mon, Oct 18, 2021 at 04:35:51PM +0200, Alexander Dahl wrote:
> > Previously DSS and RSA keys were always generated, regardless if
> > dropbear was built with support for that host key or not, which somehow
> > contradicts what commit message of 01ac7cc409b5 ("dropbear: Remove
> > deprecated options") promised.
> >
> > No other things changed here, just considering that KEYTYPES list for
> > 'rsa' and 'dss' for now.
> >
> > Signed-off-by: Alexander Dahl <ada@thorsis.com>
> > ---
> >
> > projectroot/etc/init.d/dropbear | 17 ++++++++++++++---
> > projectroot/etc/rc.once.d/dropbear | 26 +++++++++++++++++++++++---
> > 2 files changed, 37 insertions(+), 6 deletions(-)
> >
> > diff --git a/projectroot/etc/init.d/dropbear
> > b/projectroot/etc/init.d/dropbear index 342565f93..88ef5aa71 100644
> > --- a/projectroot/etc/init.d/dropbear
> > +++ b/projectroot/etc/init.d/dropbear
> > @@ -15,10 +15,21 @@ test -z "$DROPBEAR_BANNER" || \
> >
> > DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
> >
> > dropbear_start() {
> >
> > -
> >
> > KEY_ARGS=""
> >
> > - test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY"
> > - test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
> > + for keytype in $DROPBEAR_KEYTYPES
> > + do
> > + case "$keytype" in
> > + dss)
> > + test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d
> > $DROPBEAR_DSSKEY" + ;;
>
> Isn't dss disabled completely? So do we actually need this?
Depends where you look. :-/
The option was removed from ptxdist menu, yes. It is discouraged to use, yes.
For the patch I did not want to refactor and change behaviour at the same
time, so I would propose another patch for removing dss key support from the
init and rc-once scripts. Should that come before or after the other changes?
>From dropbear point of view I'm not 100% sure, but I think it's still possible
to built with dss support. ptxdist does not make an explicit decision on that
and relies on dropbear internal defaults. Maybe we should disable that
explicitly? dropbear build is different from standard ways, so it's a little
harder to pin down all the options.
Greets
Alex
>
> Michael
>
> > + rsa)
> > + test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r
> > $DROPBEAR_RSAKEY" + ;;
> > + *)
> > + echo "Key type '$keytype' not supported"
> > + ;;
> > + esac
> > + done
> >
> > echo -n "starting dropbear..."
> >
> > diff --git a/projectroot/etc/rc.once.d/dropbear
> > b/projectroot/etc/rc.once.d/dropbear index dd922d727..a9a1d475c 100644
> > --- a/projectroot/etc/rc.once.d/dropbear
> > +++ b/projectroot/etc/rc.once.d/dropbear
> > @@ -5,10 +5,11 @@
> > PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin>
> > . /usr/lib/init/dropbear.sh
> >
> > gen_key() {
> >
> > -
> >
> > key_type=$1
> > key_file=$2
> >
> > + [ -e "$key_file" ] && return
> > +
> >
> > rm -f $key_file > /dev/null 2>&1
> >
> > echo -n "generating $key_type key..."
> >
> > @@ -22,6 +23,25 @@ gen_key() {
> >
> > fi
> >
> > }
> >
> > -[ -e "$DROPBEAR_RSAKEY" ] || gen_key rsa "$DROPBEAR_RSAKEY"
> > -[ -e "$DROPBEAR_DSSKEY" ] || gen_key dss "$DROPBEAR_DSSKEY"
> > +gen_keys() {
> > + for keytype in $DROPBEAR_KEYTYPES
> > + do
> > + case "$keytype" in
> > + dss)
> > + gen_key dss "$DROPBEAR_DSSKEY"
> > + ;;
> > + rsa)
> > + gen_key rsa "$DROPBEAR_RSAKEY"
> > + ;;
> > + *)
> > + echo "Key type '$keytype' not supported"
> > + ;;
> > + esac
> > + done
> > +}
> >
> > +if ! gen_keys
> > +then
> > + echo "Generating SSH keys failed!"
> > + exit 1
> > +fi
--
Alexander Dahl Thorsis Technologies GmbH T +49 391 544 563 1000
Industrieautomation Oststr. 18 F +49 391 544 563 9099
T +49 391 544 563 3036 39114 Magdeburg https://www.thorsis.com/
Sitz der Gesellschaft: Magdeburg
Amtsgericht Stendal HRB 110339
Geschäftsführer: Dipl.-Ing. Thorsten Szczepanski
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
next prev parent reply other threads:[~2021-10-22 9:05 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-18 14:35 [ptxdist] [PATCH v2 0/8] rc-once: Improve re-generation of keys Alexander Dahl
2021-10-18 14:35 ` [ptxdist] [PATCH v2 1/8] dropbear: Adapt menu comment to available options Alexander Dahl
2021-10-18 14:35 ` [ptxdist] [PATCH v2 2/8] dropbear: Move targetinstall of rc-once script Alexander Dahl
2021-10-18 14:35 ` [ptxdist] [PATCH v2 3/8] dropbear: Move shell variables to new common shell lib Alexander Dahl
2021-10-18 14:35 ` [ptxdist] [PATCH v2 4/8] dropbear: Move KEYTYPES to shell lib and set based on menu Alexander Dahl
2021-10-18 14:35 ` [ptxdist] [PATCH v2 5/8] dropbear: Refactor rc-once and init to use KEYTYPES Alexander Dahl
2021-10-22 8:44 ` Michael Olbrich
2021-10-22 9:05 ` Alexander Dahl [this message]
2021-10-28 5:49 ` Michael Olbrich
2021-10-18 14:35 ` [ptxdist] [PATCH v2 6/8] dropbear: Support ecdsa keys in rc-once and init Alexander Dahl
2021-10-22 8:47 ` Michael Olbrich
2021-10-18 14:35 ` [ptxdist] [PATCH v2 7/8] dropbear: rc-once: Regenerate key if invalid key is found Alexander Dahl
2021-10-18 14:35 ` [ptxdist] [PATCH v2 8/8] openssh: rc-once: Do not overwrite existing keys Alexander Dahl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3971939.r3f0tfIcqM@ada \
--to=ada@thorsis.com \
--cc=alexander.stein@systec-electronic.com \
--cc=bruno.thomsen@gmail.com \
--cc=denis.osterland@diehl.com \
--cc=m.olbrich@pengutronix.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox