[openssh/private-master-vanilla: 13/13] add support for ED25519 keys to sshd-keygen and sshd.sysconfig
plautrba
plautrba at fedoraproject.org
Wed Apr 9 13:47:10 UTC 2014
commit 17e5a39640b57576ee3771fb91b691f45a9486dd
Author: Petr Lautrbach <plautrba at redhat.com>
Date: Wed Apr 9 13:37:47 2014 +0200
add support for ED25519 keys to sshd-keygen and sshd.sysconfig
sshd-keygen | 63 +++++++++++++++++++++++++++++++++++++++++--------------
sshd.sysconfig | 14 +++++-------
2 files changed, 53 insertions(+), 24 deletions(-)
---
diff --git a/sshd-keygen b/sshd-keygen
index d54e4b9..6eedf90 100644
--- a/sshd-keygen
+++ b/sshd-keygen
@@ -4,7 +4,7 @@
#
# The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment
# variable.
-AUTOCREATE_SERVER_KEYS=NODSA
+AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
# source function library
. /etc/rc.d/init.d/functions
@@ -15,6 +15,7 @@ RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
+ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
@@ -33,10 +34,10 @@ do_rsa1_keygen() {
rm -f $RSA1_KEY
if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $RSA1_KEY
- chmod 640 $RSA1_KEY
+ chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
if [ -x /sbin/restorecon ]; then
- /sbin/restorecon $RSA1_KEY.pub
+ /sbin/restorecon $RSA1_KEY{,.pub}
fi
success $"RSA1 key generation"
echo
@@ -54,10 +55,10 @@ do_rsa_keygen() {
rm -f $RSA_KEY
if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $RSA_KEY
- chmod 640 $RSA_KEY
+ chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
if [ -x /sbin/restorecon ]; then
- /sbin/restorecon $RSA_KEY.pub
+ /sbin/restorecon $RSA_KEY{,.pub}
fi
success $"RSA key generation"
echo
@@ -75,10 +76,10 @@ do_dsa_keygen() {
rm -f $DSA_KEY
if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $DSA_KEY
- chmod 640 $DSA_KEY
+ chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
if [ -x /sbin/restorecon ]; then
- /sbin/restorecon $DSA_KEY.pub
+ /sbin/restorecon $DSA_KEY{,.pub}
fi
success $"DSA key generation"
echo
@@ -96,10 +97,10 @@ do_ecdsa_keygen() {
rm -f $ECDSA_KEY
if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $ECDSA_KEY
- chmod 640 $ECDSA_KEY
+ chmod 600 $ECDSA_KEY
chmod 644 $ECDSA_KEY.pub
if [ -x /sbin/restorecon ]; then
- /sbin/restorecon $ECDSA_KEY.pub
+ /sbin/restorecon $ECDSA_KEY{,.pub}
fi
success $"ECDSA key generation"
echo
@@ -111,13 +112,43 @@ do_ecdsa_keygen() {
fi
}
-# Create keys if necessary
-if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
- do_rsa_keygen
- if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
- do_ecdsa_keygen
- if [ "x${AUTOCREATE_SERVER_KEYS}" != xNODSA ]; then
- do_dsa_keygen
+do_ed25519_keygen() {
+ if [ ! -s $ED25519_KEY ]; then
+ echo -n $"Generating SSH2 ED25519 host key: "
+ rm -f $ED25519_KEY
+ if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
+ chgrp ssh_keys $ED25519_KEY
+ chmod 600 $ED25519_KEY
+ chmod 644 $ED25519_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $ED25519_KEY{,.pub}
+ fi
+ success $"ED25519 key generation"
+ echo
+ else
+ failure $"ED25519 key generation"
+ echo
+ exit 1
fi
fi
+}
+
+if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then
+ exit 0
fi
+
+# legacy options
+case $AUTOCREATE_SERVER_KEYS in
+ NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;
+ RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";;
+ YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";;
+esac
+
+for KEY in $AUTOCREATE_SERVER_KEYS; do
+ case $KEY in
+ DSA) do_dsa_keygen;;
+ RSA) do_rsa_keygen;;
+ ECDSA) do_ecdsa_keygen;;
+ ED25519) do_ed25519_keygen;;
+ esac
+done
diff --git a/sshd.sysconfig b/sshd.sysconfig
index ddd7744..e666ab9 100644
--- a/sshd.sysconfig
+++ b/sshd.sysconfig
@@ -1,14 +1,12 @@
# Configuration file for the sshd service.
-# The server keys are automatically generated if they omitted
-# to change the automatic creation uncomment the appropriate
-# line. The default is NODSA which means rsa and ecdsa keys are
-# generated.
+# The server keys are automatically generated if they are missing.
+# To change the automatic creation uncomment and change the appropriate
+# line. Accepted key types are: DSA RSA ECDSA ED25519.
+# The default is "RSA ECDSA ED25519"
-# AUTOCREATE_SERVER_KEYS=NODSA
-# AUTOCREATE_SERVER_KEYS=RSAONLY
-# AUTOCREATE_SERVER_KEYS=NO
-# AUTOCREATE_SERVER_KEYS=YES
+# AUTOCREATE_SERVER_KEYS=""
+# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
# Do not change this option unless you have hardware random
# generator and you REALLY know what you are doing
More information about the scm-commits
mailing list