[yocto] [meta-openssl102-fips][PATCH 9/15] openssh: port sshd_check_keys from oe-core
Mark Hatle
mark.hatle at kernel.crashing.org
Mon Sep 23 07:44:11 PDT 2019
Please include the oe-core commit that this version was taken from. It'll be
easier to uprev, if needed, if we need to.
--Mark
On 9/22/19 9:57 AM, Hongxu Jia wrote:
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> ---
> .../openssh/openssh/sshd_check_keys | 78 ++++++++++++++++++++++
> 1 file changed, 78 insertions(+)
> create mode 100644 recipes-connectivity/openssh/openssh/sshd_check_keys
>
> diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys b/recipes-connectivity/openssh/openssh/sshd_check_keys
> new file mode 100644
> index 0000000..1931dc7
> --- /dev/null
> +++ b/recipes-connectivity/openssh/openssh/sshd_check_keys
> @@ -0,0 +1,78 @@
> +#! /bin/sh
> +
> +generate_key() {
> + local FILE=$1
> + local TYPE=$2
> + local DIR="$(dirname "$FILE")"
> +
> + mkdir -p "$DIR"
> + ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
> +
> + # Atomically rename file public key
> + mv -f "${FILE}.tmp.pub" "${FILE}.pub"
> +
> + # This sync does double duty: Ensuring that the data in the temporary
> + # private key file is on disk before the rename, and ensuring that the
> + # public key rename is completed before the private key rename, since we
> + # switch on the existence of the private key to trigger key generation.
> + # This does mean it is possible for the public key to exist, but be garbage
> + # but this is OK because in that case the private key won't exist and the
> + # keys will be regenerated.
> + #
> + # In the event that sync understands arguments that limit what it tries to
> + # fsync(), we provided them. If it does not, it will simply call sync()
> + # which is just as well
> + sync "${FILE}.pub" "$DIR" "${FILE}.tmp"
> +
> + mv "${FILE}.tmp" "$FILE"
> +
> + # sync to ensure the atomic rename is committed
> + sync "$DIR"
> +}
> +
> +# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
> +if test -f /etc/default/ssh; then
> + . /etc/default/ssh
> +fi
> +
> +[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
> +mkdir -p $SYSCONFDIR
> +
> +# parse sshd options
> +set -- ${SSHD_OPTS} --
> +sshd_config=/etc/ssh/sshd_config
> +while true ; do
> + case "$1" in
> + -f*) if [ "$1" = "-f" ] ; then
> + sshd_config="$2"
> + shift
> + else
> + sshd_config="${1#-f}"
> + fi
> + shift
> + ;;
> + --) shift; break;;
> + *) shift;;
> + esac
> +done
> +
> +HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}")
> +[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
> +
> +for key in ${HOST_KEYS} ; do
> + [ -f $key ] && continue
> + case $key in
> + *_rsa_key)
> + echo " generating ssh RSA host key..."
> + generate_key $key rsa
> + ;;
> + *_ecdsa_key)
> + echo " generating ssh ECDSA host key..."
> + generate_key $key ecdsa
> + ;;
> + *_ed25519_key)
> + echo " generating ssh ED25519 host key..."
> + generate_key $key ed25519
> + ;;
> + esac
> +done
>
More information about the yocto
mailing list