From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: In-Reply-To: <20200821112902.17281-2-christian.hermann@hytera.de> MIME-Version: 1.0 Message-Id: From: Michael Olbrich Date: Tue, 06 Oct 2020 10:18:20 +0200 Subject: Re: [ptxdist] [APPLIED] openssh/rc-once: iterate over configured hostkeys List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de Cc: Christian Hermann Thanks, applied as cf2b6aa24e21431186e255312b7c4f6691ad367a. Michael [sent from post-receive hook] On Tue, 06 Oct 2020 10:18:20 +0200, Christian Hermann wrote: > ...instead of relying on a hardcoded list of keytypes. > > Some cleanup was performed as well: > * merge key gathering functions > * absence of sshd_config was tested but properly progagated and > therefore not properly handled. > > Tested with sed implementations of busybox-1.31.1, toybox-0.8.3 and GNU. > > Signed-off-by: Christian Hermann > Message-Id: <20200821112902.17281-2-christian.hermann@hytera.de> > Signed-off-by: Michael Olbrich > > diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh > index fe8b00691122..545586f07629 100644 > --- a/projectroot/etc/rc.once.d/openssh > +++ b/projectroot/etc/rc.once.d/openssh > @@ -3,43 +3,32 @@ > PATH=/sbin:/bin:/usr/sbin:/usr/bin > > get_hostkeys() { > - [ -f /etc/ssh/sshd_config ] || return > - sed -n 's/^HostKey[ \t][ \t]*\(.*\)/\1/p' /etc/ssh/sshd_config > -} > - > -host_keys_required() { > - hostkeys="$(get_hostkeys)" > - if [ "$hostkeys" ]; then > - echo "$hostkeys" > - else > - # No HostKey directives found, so we pick secure defaults > - echo /etc/ssh/ssh_host_ed25519_key > - fi > + hostkeys="$(sed -E -n -e 's/^HostKey[[:space:]]+(.*)/\1/p' /etc/ssh/sshd_config)" || return > + # pick secure defaults if no HostKey directives are found > + echo "${hostkeys:-/etc/ssh/ssh_host_ed25519_key}" > } > > create_key() { > - keytype="$1" > - shift > - hostkeys="$1" > - shift > - > - file="/etc/ssh/ssh_host_${keytype}_key" > - > - if echo "$hostkeys" | grep -x -F "$file" >/dev/null; then > - echo "Create $keytype key; this may take some time ..." > - rm -f $file && > - ssh-keygen -q -f "$file" -N '' -t "$keytype" "$@" || return > - echo "Created $keytype key." > - fi > + keyfile="$1" > + keytype="$(echo "$keyfile" | sed -E -e 's/.*ssh_host_(.*)_key$/\1/')" > + > + keygen_args= > + case "$keytype" in > + rsa) keygen_args="-b 4096" ;; > + esac > + > + echo "Create $keytype key; this may take some time ..." > + rm -f "$keyfile" && > + ssh-keygen -q -f "$keyfile" -N '' -t "$keytype" $keygen_args || return > + echo "Created $keytype key." > } > > create_keys() { > - hostkeys="$(host_keys_required)" > + hostkeys="$(get_hostkeys)" || return > > - create_key "dsa" "$hostkeys" && > - create_key "ecdsa" "$hostkeys" && > - create_key "ed25519" "$hostkeys" && > - create_key "rsa" "$hostkeys" -b 4096 > + for keyfile in $hostkeys; do > + create_key "$keyfile" || return > + done > } > > if ! create_keys; then _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de