summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoshua Watt <jpewhacker@gmail.com>2017-09-28 08:40:01 -0500
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-10-07 23:20:39 +0100
commit43fc3d8e180c168dbe5dd5faa577e69a279bd1bd (patch)
tree3b1769ba7e5c3a2a04d405c5cfee263200c6aec3
parentcbf796a8266598c27a3af77fcef577ba5e10297f (diff)
downloadpoky-43fc3d8e180c168dbe5dd5faa577e69a279bd1bd.tar.gz
openssh: Atomically generate host keys
Generating the host keys atomically prevents power interruptions during the first boot from leaving the key files incomplete, which often prevents users from being able to ssh into the device. [YOCTO #11671] (From OE-Core rev: 221b40f1f08ee23511ba078a1efd01686922e932) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd_check_keys42
1 files changed, 34 insertions, 8 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
index f5bba53ca3..5463b1a4cb 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -1,5 +1,35 @@
1#! /bin/sh 1#! /bin/sh
2 2
3generate_key() {
4 local FILE=$1
5 local TYPE=$2
6 local DIR="$(dirname "$FILE")"
7
8 mkdir -p "$DIR"
9 ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
10
11 # Atomically rename file public key
12 mv -f "${FILE}.tmp.pub" "${FILE}.pub"
13
14 # This sync does double duty: Ensuring that the data in the temporary
15 # private key file is on disk before the rename, and ensuring that the
16 # public key rename is completed before the private key rename, since we
17 # switch on the existence of the private key to trigger key generation.
18 # This does mean it is possible for the public key to exist, but be garbage
19 # but this is OK because in that case the private key won't exist and the
20 # keys will be regenerated.
21 #
22 # In the event that sync understands arguments that limit what it tries to
23 # fsync(), we provided them. If it does not, it will simply call sync()
24 # which is just as well
25 sync "${FILE}.pub" "$DIR" "${FILE}.tmp"
26
27 mv "${FILE}.tmp" "$FILE"
28
29 # sync to ensure the atomic rename is committed
30 sync "$DIR"
31}
32
3# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS 33# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
4if test -f /etc/default/ssh; then 34if test -f /etc/default/ssh; then
5 . /etc/default/ssh 35 . /etc/default/ssh
@@ -43,22 +73,18 @@ HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | a
43# create keys if necessary 73# create keys if necessary
44if [ ! -f $HOST_KEY_RSA ]; then 74if [ ! -f $HOST_KEY_RSA ]; then
45 echo " generating ssh RSA key..." 75 echo " generating ssh RSA key..."
46 mkdir -p $(dirname $HOST_KEY_RSA) 76 generate_key $HOST_KEY_RSA rsa
47 ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
48fi 77fi
49if [ ! -f $HOST_KEY_ECDSA ]; then 78if [ ! -f $HOST_KEY_ECDSA ]; then
50 echo " generating ssh ECDSA key..." 79 echo " generating ssh ECDSA key..."
51 mkdir -p $(dirname $HOST_KEY_ECDSA) 80 generate_key $HOST_KEY_ECDSA ecdsa
52 ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
53fi 81fi
54if [ ! -f $HOST_KEY_DSA ]; then 82if [ ! -f $HOST_KEY_DSA ]; then
55 echo " generating ssh DSA key..." 83 echo " generating ssh DSA key..."
56 mkdir -p $(dirname $HOST_KEY_DSA) 84 generate_key $HOST_KEY_DSA dsa
57 ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
58fi 85fi
59if [ ! -f $HOST_KEY_ED25519 ]; then 86if [ ! -f $HOST_KEY_ED25519 ]; then
60 echo " generating ssh ED25519 key..." 87 echo " generating ssh ED25519 key..."
61 mkdir -p $(dirname $HOST_KEY_ED25519) 88 generate_key $HOST_KEY_ED25519 ed25519
62 ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519
63fi 89fi
64 90