[PATCH 6/7] openssh: only create sshd host keys which have been enabled

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Andre McCurdy <armccurdy@gmail.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH 6/7] openssh: only create sshd host keys which have been enabled
Date: Thu,  7 Jun 2018 11:48:39 -0700	[thread overview]
Message-ID: <1528397320-32269-6-git-send-email-armccurdy@gmail.com> (raw)
In-Reply-To: <1528397320-32269-1-git-send-email-armccurdy@gmail.com>

Previously sshd_check_keys would create a full set of all possible
sshd host keys, even if sshd_config has been set to only enable
certain key types.

Update sshd_check_keys to only create keys which have been enabled in
sshd_config (with a fallback to creating a full set of key types if
no HostKey options are defined, as before).

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
---
 .../openssh/openssh/sshd_check_keys                | 42 ++++++++++------------
 1 file changed, 19 insertions(+), 23 deletions(-)

diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
index be2e2ec..1931dc7 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -56,27 +56,23 @@ while true ; do
     esac
 done
 
-# parse location of keys
-HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
-HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
-HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
+HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}")
+[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
 
-# create keys if necessary
-if [ ! -f $HOST_KEY_RSA ]; then
-    echo "  generating ssh RSA key..."
-    generate_key $HOST_KEY_RSA rsa
-fi
-if [ ! -f $HOST_KEY_ECDSA ]; then
-    echo "  generating ssh ECDSA key..."
-    generate_key $HOST_KEY_ECDSA ecdsa
-fi
-if [ ! -f $HOST_KEY_ED25519 ]; then
-    echo "  generating ssh ED25519 key..."
-    generate_key $HOST_KEY_ED25519 ed25519
-fi
+for key in ${HOST_KEYS} ; do
+    [ -f $key ] && continue
+    case $key in
+    *_rsa_key)
+        echo "  generating ssh RSA host key..."
+        generate_key $key rsa
+        ;;
+    *_ecdsa_key)
+        echo "  generating ssh ECDSA host key..."
+        generate_key $key ecdsa
+        ;;
+    *_ed25519_key)
+        echo "  generating ssh ED25519 host key..."
+        generate_key $key ed25519
+        ;;
+    esac
+done
-- 
1.9.1

next prev parent reply	other threads:[~2018-06-07 18:48 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-07 18:48 [PATCH 1/7] openssh: stop adding -D__FILE_OFFSET_BITS=64 to CFLAGS Andre McCurdy
2018-06-07 18:48 ` [PATCH 2/7] openssh: stop manually hiding libutil etc headers from configure Andre McCurdy
2018-06-15 10:15   ` Richard Purdie
2018-06-22 19:56     ` Andre McCurdy
2018-06-07 18:48 ` [PATCH 3/7] openssh: drop RCONFLICTS for openssh-keygen Andre McCurdy
2018-06-07 18:48 ` [PATCH 4/7] openssh: minor indent cleanup for sshd init script Andre McCurdy
2018-06-07 18:48 ` [PATCH 5/7] openssh: sync local ssh_config + sshd_config files with upstream 7.7p1 Andre McCurdy
2018-06-07 18:48 ` Andre McCurdy [this message]
2018-06-07 18:48 ` [PATCH 7/7] rootfs-postcommands.bbclass: drop obsolete sshd UseDNS rootfs postprocessing Andre McCurdy
2018-06-12 17:38 ` [PATCH 1/7] openssh: stop adding -D__FILE_OFFSET_BITS=64 to CFLAGS Andre McCurdy
2018-06-13 11:59   ` Burton, Ross

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:be2e2ec dfblob:1931dc7 )
 OR (
bs:"[PATCH 6/7] openssh: only create sshd host keys which have been enabled" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1528397320-32269-6-git-send-email-armccurdy@gmail.com \
    --to=armccurdy@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox