diff options
author | Marcel Ziswiler <marcel.ziswiler@toradex.com> | 2019-10-22 00:48:00 +0200 |
---|---|---|
committer | Marcel Ziswiler <marcel.ziswiler@toradex.com> | 2019-10-22 00:54:12 +0200 |
commit | b794d3050e6ca28c45eec5f57586850c2084b379 (patch) | |
tree | 59136776e68ae5aed56f353a1f14a5c8023137c2 /recipes-connectivity/openssh/openssh/sshd_check_keys | |
parent | 050cb8f83db24d66e6d06b5e14dddac7c182f8e0 (diff) |
openssh: backport 8.0p1
Packport openssh 8.0p1 from upstream openembedded-core master commit
8bd4b87071c0 ("openssh: fix CVE-2019-16905") reverting commit
0fd0a1b1f733 ("openssh: Add missing DEPENDS on virtual/crypt") due to
Rocko incompatibility.
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Diffstat (limited to 'recipes-connectivity/openssh/openssh/sshd_check_keys')
-rw-r--r-- | recipes-connectivity/openssh/openssh/sshd_check_keys | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/recipes-connectivity/openssh/openssh/sshd_check_keys b/recipes-connectivity/openssh/openssh/sshd_check_keys new file mode 100644 index 0000000..1931dc7 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/sshd_check_keys @@ -0,0 +1,78 @@ +#! /bin/sh + +generate_key() { + local FILE=$1 + local TYPE=$2 + local DIR="$(dirname "$FILE")" + + mkdir -p "$DIR" + ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE + + # Atomically rename file public key + mv -f "${FILE}.tmp.pub" "${FILE}.pub" + + # This sync does double duty: Ensuring that the data in the temporary + # private key file is on disk before the rename, and ensuring that the + # public key rename is completed before the private key rename, since we + # switch on the existence of the private key to trigger key generation. + # This does mean it is possible for the public key to exist, but be garbage + # but this is OK because in that case the private key won't exist and the + # keys will be regenerated. + # + # In the event that sync understands arguments that limit what it tries to + # fsync(), we provided them. If it does not, it will simply call sync() + # which is just as well + sync "${FILE}.pub" "$DIR" "${FILE}.tmp" + + mv "${FILE}.tmp" "$FILE" + + # sync to ensure the atomic rename is committed + sync "$DIR" +} + +# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS +if test -f /etc/default/ssh; then + . /etc/default/ssh +fi + +[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh +mkdir -p $SYSCONFDIR + +# parse sshd options +set -- ${SSHD_OPTS} -- +sshd_config=/etc/ssh/sshd_config +while true ; do + case "$1" in + -f*) if [ "$1" = "-f" ] ; then + sshd_config="$2" + shift + else + sshd_config="${1#-f}" + fi + shift + ;; + --) shift; break;; + *) shift;; + esac +done + +HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}") +[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key" + +for key in ${HOST_KEYS} ; do + [ -f $key ] && continue + case $key in + *_rsa_key) + echo " generating ssh RSA host key..." + generate_key $key rsa + ;; + *_ecdsa_key) + echo " generating ssh ECDSA host key..." + generate_key $key ecdsa + ;; + *_ed25519_key) + echo " generating ssh ED25519 host key..." + generate_key $key ed25519 + ;; + esac +done |