All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andre McCurdy <armccurdy@gmail.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH 6/7] openssh: only create sshd host keys which have been enabled
Date: Thu,  7 Jun 2018 11:48:39 -0700	[thread overview]
Message-ID: <1528397320-32269-6-git-send-email-armccurdy@gmail.com> (raw)
In-Reply-To: <1528397320-32269-1-git-send-email-armccurdy@gmail.com>

Previously sshd_check_keys would create a full set of all possible
sshd host keys, even if sshd_config has been set to only enable
certain key types.

Update sshd_check_keys to only create keys which have been enabled in
sshd_config (with a fallback to creating a full set of key types if
no HostKey options are defined, as before).

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
---
 .../openssh/openssh/sshd_check_keys                | 42 ++++++++++------------
 1 file changed, 19 insertions(+), 23 deletions(-)

diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
index be2e2ec..1931dc7 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -56,27 +56,23 @@ while true ; do
     esac
 done
 
-# parse location of keys
-HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
-HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
-HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
+HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}")
+[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
 
-# create keys if necessary
-if [ ! -f $HOST_KEY_RSA ]; then
-    echo "  generating ssh RSA key..."
-    generate_key $HOST_KEY_RSA rsa
-fi
-if [ ! -f $HOST_KEY_ECDSA ]; then
-    echo "  generating ssh ECDSA key..."
-    generate_key $HOST_KEY_ECDSA ecdsa
-fi
-if [ ! -f $HOST_KEY_ED25519 ]; then
-    echo "  generating ssh ED25519 key..."
-    generate_key $HOST_KEY_ED25519 ed25519
-fi
+for key in ${HOST_KEYS} ; do
+    [ -f $key ] && continue
+    case $key in
+    *_rsa_key)
+        echo "  generating ssh RSA host key..."
+        generate_key $key rsa
+        ;;
+    *_ecdsa_key)
+        echo "  generating ssh ECDSA host key..."
+        generate_key $key ecdsa
+        ;;
+    *_ed25519_key)
+        echo "  generating ssh ED25519 host key..."
+        generate_key $key ed25519
+        ;;
+    esac
+done
-- 
1.9.1



  parent reply	other threads:[~2018-06-07 18:48 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-07 18:48 [PATCH 1/7] openssh: stop adding -D__FILE_OFFSET_BITS=64 to CFLAGS Andre McCurdy
2018-06-07 18:48 ` [PATCH 2/7] openssh: stop manually hiding libutil etc headers from configure Andre McCurdy
2018-06-15 10:15   ` Richard Purdie
2018-06-22 19:56     ` Andre McCurdy
2018-06-07 18:48 ` [PATCH 3/7] openssh: drop RCONFLICTS for openssh-keygen Andre McCurdy
2018-06-07 18:48 ` [PATCH 4/7] openssh: minor indent cleanup for sshd init script Andre McCurdy
2018-06-07 18:48 ` [PATCH 5/7] openssh: sync local ssh_config + sshd_config files with upstream 7.7p1 Andre McCurdy
2018-06-07 18:48 ` Andre McCurdy [this message]
2018-06-07 18:48 ` [PATCH 7/7] rootfs-postcommands.bbclass: drop obsolete sshd UseDNS rootfs postprocessing Andre McCurdy
2018-06-12 17:38 ` [PATCH 1/7] openssh: stop adding -D__FILE_OFFSET_BITS=64 to CFLAGS Andre McCurdy
2018-06-13 11:59   ` Burton, Ross

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1528397320-32269-6-git-send-email-armccurdy@gmail.com \
    --to=armccurdy@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.