[openssh/private-master-vanilla: 13/13] add support for ED25519 keys to sshd-keygen and sshd.sysconfig

plautrba plautrba at fedoraproject.org
Wed Apr 9 13:47:10 UTC 2014 

commit 17e5a39640b57576ee3771fb91b691f45a9486dd
Author: Petr Lautrbach <plautrba at redhat.com>
Date:   Wed Apr 9 13:37:47 2014 +0200

    add support for ED25519 keys to sshd-keygen and sshd.sysconfig

 sshd-keygen    |   63 +++++++++++++++++++++++++++++++++++++++++--------------
 sshd.sysconfig |   14 +++++-------
 2 files changed, 53 insertions(+), 24 deletions(-)
---
diff --git a/sshd-keygen b/sshd-keygen
index d54e4b9..6eedf90 100644
--- a/sshd-keygen
+++ b/sshd-keygen
@@ -4,7 +4,7 @@
 #
 # The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment
 # variable.
-AUTOCREATE_SERVER_KEYS=NODSA
+AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
 
 # source function library
 . /etc/rc.d/init.d/functions
@@ -15,6 +15,7 @@ RSA1_KEY=/etc/ssh/ssh_host_key
 RSA_KEY=/etc/ssh/ssh_host_rsa_key
 DSA_KEY=/etc/ssh/ssh_host_dsa_key
 ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
+ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
 
 # pull in sysconfig settings
 [ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
@@ -33,10 +34,10 @@ do_rsa1_keygen() {
 		rm -f $RSA1_KEY
 		if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
 			chgrp ssh_keys $RSA1_KEY
-			chmod 640 $RSA1_KEY
+			chmod 600 $RSA1_KEY
 			chmod 644 $RSA1_KEY.pub
 			if [ -x /sbin/restorecon ]; then
-			    /sbin/restorecon $RSA1_KEY.pub
+			    /sbin/restorecon $RSA1_KEY{,.pub}
 			fi
 			success $"RSA1 key generation"
 			echo
@@ -54,10 +55,10 @@ do_rsa_keygen() {
 		rm -f $RSA_KEY
 		if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
 			chgrp ssh_keys $RSA_KEY
-			chmod 640 $RSA_KEY
+			chmod 600 $RSA_KEY
 			chmod 644 $RSA_KEY.pub
 			if [ -x /sbin/restorecon ]; then
-			    /sbin/restorecon $RSA_KEY.pub
+			    /sbin/restorecon $RSA_KEY{,.pub}
 			fi
 			success $"RSA key generation"
 			echo
@@ -75,10 +76,10 @@ do_dsa_keygen() {
 		rm -f $DSA_KEY
 		if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
 			chgrp ssh_keys $DSA_KEY
-			chmod 640 $DSA_KEY
+			chmod 600 $DSA_KEY
 			chmod 644 $DSA_KEY.pub
 			if [ -x /sbin/restorecon ]; then
-			    /sbin/restorecon $DSA_KEY.pub
+			    /sbin/restorecon $DSA_KEY{,.pub}
 			fi
 			success $"DSA key generation"
 			echo
@@ -96,10 +97,10 @@ do_ecdsa_keygen() {
 		rm -f $ECDSA_KEY
 		if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
 			chgrp ssh_keys $ECDSA_KEY
-			chmod 640 $ECDSA_KEY
+			chmod 600 $ECDSA_KEY
 			chmod 644 $ECDSA_KEY.pub
 			if [ -x /sbin/restorecon ]; then
-			    /sbin/restorecon $ECDSA_KEY.pub
+			    /sbin/restorecon $ECDSA_KEY{,.pub}
 			fi
 			success $"ECDSA key generation"
 			echo
@@ -111,13 +112,43 @@ do_ecdsa_keygen() {
 	fi
 }
 
-# Create keys if necessary
-if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
-	do_rsa_keygen
-	if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
-		do_ecdsa_keygen
-		if [ "x${AUTOCREATE_SERVER_KEYS}" != xNODSA ]; then
-			do_dsa_keygen
+do_ed25519_keygen() {
+	if [ ! -s $ED25519_KEY ]; then
+		echo -n $"Generating SSH2 ED25519 host key: "
+		rm -f $ED25519_KEY
+		if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
+			chgrp ssh_keys $ED25519_KEY
+			chmod 600 $ED25519_KEY
+			chmod 644 $ED25519_KEY.pub
+			if [ -x /sbin/restorecon ]; then
+			    /sbin/restorecon $ED25519_KEY{,.pub}
+			fi
+			success $"ED25519 key generation"
+			echo
+		else
+			failure $"ED25519 key generation"
+			echo
+			exit 1
 		fi
 	fi
+}
+
+if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then
+	exit 0
 fi
+
+# legacy options
+case $AUTOCREATE_SERVER_KEYS in
+	NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;
+	RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";;
+	YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";;
+esac
+
+for KEY in $AUTOCREATE_SERVER_KEYS; do
+	case $KEY in
+		DSA) do_dsa_keygen;;
+		RSA) do_rsa_keygen;;
+		ECDSA) do_ecdsa_keygen;;
+		ED25519) do_ed25519_keygen;;
+	esac
+done
diff --git a/sshd.sysconfig b/sshd.sysconfig
index ddd7744..e666ab9 100644
--- a/sshd.sysconfig
+++ b/sshd.sysconfig
@@ -1,14 +1,12 @@
 # Configuration file for the sshd service.
 
-# The server keys are automatically generated if they omitted
-# to change the automatic creation uncomment the appropriate
-# line. The default is NODSA which means rsa and ecdsa keys are
-# generated.
+# The server keys are automatically generated if they are missing.
+# To change the automatic creation uncomment and change the appropriate
+# line. Accepted key types are: DSA RSA ECDSA ED25519.
+# The default is "RSA ECDSA ED25519"
 
-# AUTOCREATE_SERVER_KEYS=NODSA
-# AUTOCREATE_SERVER_KEYS=RSAONLY
-# AUTOCREATE_SERVER_KEYS=NO
-# AUTOCREATE_SERVER_KEYS=YES
+# AUTOCREATE_SERVER_KEYS=""
+# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
 
 # Do not change this option unless you have hardware random
 # generator and you REALLY know what you are doing

More information about the scm-commits mailing list