diff options
author | Joshua Watt <jpewhacker@gmail.com> | 2017-09-28 08:40:01 -0500 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-10-07 23:20:39 +0100 |
commit | 43fc3d8e180c168dbe5dd5faa577e69a279bd1bd (patch) | |
tree | 3b1769ba7e5c3a2a04d405c5cfee263200c6aec3 | |
parent | cbf796a8266598c27a3af77fcef577ba5e10297f (diff) | |
download | poky-43fc3d8e180c168dbe5dd5faa577e69a279bd1bd.tar.gz |
openssh: Atomically generate host keys
Generating the host keys atomically prevents power interruptions during the
first boot from leaving the key files incomplete, which often prevents users
from being able to ssh into the device.
[YOCTO #11671]
(From OE-Core rev: 221b40f1f08ee23511ba078a1efd01686922e932)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/sshd_check_keys | 42 |
1 files changed, 34 insertions, 8 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys index f5bba53ca3..5463b1a4cb 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys +++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys | |||
@@ -1,5 +1,35 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | 2 | ||
3 | generate_key() { | ||
4 | local FILE=$1 | ||
5 | local TYPE=$2 | ||
6 | local DIR="$(dirname "$FILE")" | ||
7 | |||
8 | mkdir -p "$DIR" | ||
9 | ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE | ||
10 | |||
11 | # Atomically rename file public key | ||
12 | mv -f "${FILE}.tmp.pub" "${FILE}.pub" | ||
13 | |||
14 | # This sync does double duty: Ensuring that the data in the temporary | ||
15 | # private key file is on disk before the rename, and ensuring that the | ||
16 | # public key rename is completed before the private key rename, since we | ||
17 | # switch on the existence of the private key to trigger key generation. | ||
18 | # This does mean it is possible for the public key to exist, but be garbage | ||
19 | # but this is OK because in that case the private key won't exist and the | ||
20 | # keys will be regenerated. | ||
21 | # | ||
22 | # In the event that sync understands arguments that limit what it tries to | ||
23 | # fsync(), we provided them. If it does not, it will simply call sync() | ||
24 | # which is just as well | ||
25 | sync "${FILE}.pub" "$DIR" "${FILE}.tmp" | ||
26 | |||
27 | mv "${FILE}.tmp" "$FILE" | ||
28 | |||
29 | # sync to ensure the atomic rename is committed | ||
30 | sync "$DIR" | ||
31 | } | ||
32 | |||
3 | # /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS | 33 | # /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS |
4 | if test -f /etc/default/ssh; then | 34 | if test -f /etc/default/ssh; then |
5 | . /etc/default/ssh | 35 | . /etc/default/ssh |
@@ -43,22 +73,18 @@ HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | a | |||
43 | # create keys if necessary | 73 | # create keys if necessary |
44 | if [ ! -f $HOST_KEY_RSA ]; then | 74 | if [ ! -f $HOST_KEY_RSA ]; then |
45 | echo " generating ssh RSA key..." | 75 | echo " generating ssh RSA key..." |
46 | mkdir -p $(dirname $HOST_KEY_RSA) | 76 | generate_key $HOST_KEY_RSA rsa |
47 | ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa | ||
48 | fi | 77 | fi |
49 | if [ ! -f $HOST_KEY_ECDSA ]; then | 78 | if [ ! -f $HOST_KEY_ECDSA ]; then |
50 | echo " generating ssh ECDSA key..." | 79 | echo " generating ssh ECDSA key..." |
51 | mkdir -p $(dirname $HOST_KEY_ECDSA) | 80 | generate_key $HOST_KEY_ECDSA ecdsa |
52 | ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa | ||
53 | fi | 81 | fi |
54 | if [ ! -f $HOST_KEY_DSA ]; then | 82 | if [ ! -f $HOST_KEY_DSA ]; then |
55 | echo " generating ssh DSA key..." | 83 | echo " generating ssh DSA key..." |
56 | mkdir -p $(dirname $HOST_KEY_DSA) | 84 | generate_key $HOST_KEY_DSA dsa |
57 | ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa | ||
58 | fi | 85 | fi |
59 | if [ ! -f $HOST_KEY_ED25519 ]; then | 86 | if [ ! -f $HOST_KEY_ED25519 ]; then |
60 | echo " generating ssh ED25519 key..." | 87 | echo " generating ssh ED25519 key..." |
61 | mkdir -p $(dirname $HOST_KEY_ED25519) | 88 | generate_key $HOST_KEY_ED25519 ed25519 |
62 | ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519 | ||
63 | fi | 89 | fi |
64 | 90 | ||