Module Name: src Committed By: martin Date: Sun Sep 26 10:53:20 UTC 2021
Modified Files: src/etc/rc.d: sshd Log Message: If key generation happens with not enough entropy in the system, add a warning to motd pointing at entropy(7) and give instructions how to re-generate the (weak) keys after fixing up entropy. Add a "keyregen" command, which forces regeneration of all host keys to simplify the replacement of weak keys. To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.31 src/etc/rc.d/sshd Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/etc/rc.d/sshd diff -u src/etc/rc.d/sshd:1.30 src/etc/rc.d/sshd:1.31 --- src/etc/rc.d/sshd:1.30 Wed Oct 23 14:45:38 2019 +++ src/etc/rc.d/sshd Sun Sep 26 10:53:20 2021 @@ -1,6 +1,6 @@ #!/bin/sh # -# $NetBSD: sshd,v 1.30 2019/10/23 14:45:38 christos Exp $ +# $NetBSD: sshd,v 1.31 2021/09/26 10:53:20 martin Exp $ # # PROVIDE: sshd @@ -13,7 +13,32 @@ rcvar=$name command="/usr/sbin/${name}" pidfile="/var/run/${name}.pid" required_files="/etc/ssh/sshd_config" -extra_commands="keygen reload" +extra_commands="keygen keyregen reload" + +sshd_motd_unsafe_keys_warning() +{ +( + umask 022 + T=/etc/_motd + sed -E '/^-- UNSAFE KEYS WARNING:/,$d' < /etc/motd > $T + if [ $( sysctl -n kern.entropy.needed ) -ne 0 ]; then + cat >> $T << _EOF +-- UNSAFE KEYS WARNING: + + The ssh host keys on this machine have been generated with + not enough entropy configured, so may be predictable. + + To fix, follow the "Adding entropy" section in the entropy(7) + man page and after this machine has enough entropy, re-generate + the ssh host keys by running: + + sh /etc/rc.d/sshd keyregen +_EOF + fi + cmp -s $T /etc/motd || cp $T /etc/motd + rm -f $T +) +} sshd_keygen() { @@ -22,9 +47,10 @@ sshd_keygen() umask 022 while read type bits filename; do f="/etc/ssh/$filename" - if [ -f "$f" ]; then + if [ "$1" != "force" ] && [ -f "$f" ]; then continue fi + rm -f "$f" case "${bits}" in -1) bitarg=;; 0) bitarg="${ssh_keygen_flags}";; @@ -39,6 +65,7 @@ ed25519 -1 ssh_host_ed25519_key rsa 0 ssh_host_rsa_key _EOF ) + sshd_motd_unsafe_keys_warning } sshd_precmd() @@ -47,6 +74,7 @@ sshd_precmd() } keygen_cmd=sshd_keygen +keyregen_cmd="sshd_keygen force" start_precmd=sshd_precmd load_rc_config $name