This commit adds additional output to the following Error message informing the user they need to convert their existing ssh_host key files to PEM format. ``` Error: Unsupported OpenSSH key type Error reading key from '/etc/ssh/ssh_host_rsa_key' Error: Unsupported OpenSSH key type Error reading key from '/etc/ssh/ssh_host_ecdsa_key' ``` I found the suggestion to convert the existing keys to PEM format in an issue[1] for systemd-tool and I've converted the suggestion to an echo statement during a failure to convert the keys when running mkinitcpio when dropbear hook is enabled. Also this change stops swallowing this error. The new behavior is, if dropbear convert was unable to convert any existing `ssh_host` key files then `generate_keys` will be run. This prevents an initramfs being generated without any host keyfiles. This is the same behavior that occurs when NO existing `ssh_host` keyfiles exist. [1] https://github.com/random-archer/mkinitcpio-systemd-tool/issues/83
109 lines
2.7 KiB
Bash
109 lines
2.7 KiB
Bash
#!/bin/bash
|
|
|
|
get_fingerprint() {
|
|
local keyfile="$1"
|
|
dropbearkey -y -f "${keyfile}" | sed -n '/^Fingerprint:/ {s/Fingerprint: *//; p}'
|
|
}
|
|
|
|
display_fingerprints() {
|
|
local keyfile
|
|
|
|
for keyfile in "/etc/dropbear/dropbear_rsa_host_key" "/etc/dropbear/dropbear_ecdsa_host_key" ; do
|
|
if [ -s "${keyfile}" ] ; then
|
|
echo "$(basename "${keyfile}") : $(get_fingerprint "${keyfile}")"
|
|
fi
|
|
done
|
|
}
|
|
|
|
copy_openssh_keys() {
|
|
local osshrsa="/etc/ssh/ssh_host_rsa_key"
|
|
local osshecdsa="/etc/ssh/ssh_host_ecdsa_key"
|
|
|
|
local dbpre="/etc/dropbear/dropbear_"
|
|
|
|
local return_code=1
|
|
|
|
if [ -s "$osshrsa" ]; then
|
|
if dropbearconvert openssh dropbear $osshrsa ${dbpre}rsa_host_key; then
|
|
return_code=0
|
|
else
|
|
echo "dropbearconvert needs host keys in PEM format"
|
|
echo "To convert existing host key use: \"ssh-keygen -p -m PEM -f $osshrsa\""
|
|
fi
|
|
fi
|
|
|
|
if [ -s "$osshecdsa" ]; then
|
|
if dropbearconvert openssh dropbear $osshecdsa ${dbpre}ecdsa_host_key; then
|
|
return_code=0
|
|
else
|
|
echo "dropbearconvert needs host keys in PEM format"
|
|
echo "To convert existing host key use: \"ssh-keygen -p -m PEM -f $osshecdsa\""
|
|
fi
|
|
fi
|
|
|
|
return $return_code
|
|
}
|
|
|
|
generate_keys() {
|
|
local keyfile keytype
|
|
for keytype in rsa ecdsa ; do
|
|
keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
|
|
if [ ! -s "$keyfile" ]; then
|
|
echo "Generating ${keytype} host key for dropbear ..."
|
|
dropbearkey -t "${keytype}" -f "${keyfile}"
|
|
fi
|
|
done
|
|
}
|
|
|
|
build ()
|
|
{
|
|
#
|
|
# Begin real processing
|
|
#
|
|
|
|
# Are we even needed?
|
|
if [ ! -r "/etc/dropbear/root_key" -o ! -s "/etc/dropbear/root_key" ]; then
|
|
echo "There is no root key in /etc/dropbear/root_key existent; exit"
|
|
return 0
|
|
fi
|
|
|
|
# if TMPDIR is set leave it alone otherwise set
|
|
[ -z $TMPDIR ] && TMPDIR='/tmp/dropbear_initrd_encrypt'
|
|
|
|
# check if TMPDIR exsists if not make it
|
|
[ -d $TMPDIR ] || mkdir -p $TMPDIR
|
|
|
|
umask 0022
|
|
|
|
[ -d /etc/dropbear ] && mkdir -p /etc/dropbear
|
|
|
|
copy_openssh_keys || generate_keys
|
|
display_fingerprints
|
|
|
|
add_checked_modules "/drivers/net/"
|
|
add_binary "rm"
|
|
add_binary "killall"
|
|
add_binary "dropbear"
|
|
|
|
add_dir "/root/.ssh"
|
|
cat /etc/dropbear/root_key > "${BUILDROOT}"/root/.ssh/authorized_keys
|
|
|
|
add_full_dir "/etc/dropbear"
|
|
add_file "/lib/libnss_files.so.2"
|
|
add_dir "/var/run"
|
|
add_dir "/var/log"
|
|
touch "${BUILDROOT}"/var/log/lastlog
|
|
|
|
add_runscript
|
|
}
|
|
|
|
help ()
|
|
{
|
|
cat<<HELPEOF
|
|
This hook is meant to be used in conjunction with mkinitcpio-netconf and/or
|
|
mkinitcpio-ppp. It DOES NOT provide any default shell. It will only install
|
|
and start dropbear on early userspace. In the package mkinitcpio-utils you
|
|
will find hooks and shells for remote unlocking a luks root partition,
|
|
among others.
|
|
HELPEOF
|
|
}
|