rc.d

Dag-Erling Smørgrav Sat, 21 Sep 2013 14:34:45 -0700

Author: des
Date: Sat Sep 21 21:34:22 2013
New Revision: 255766
URL: http://svnweb.freebsd.org/changeset/base/255766


Log:
  Ditch the random seeding code, which never really worked as intended.
  Add config variables to enable / disable individual host key algorithms.
  Clean up the host key generation code.
  
  Approved by:  re (gjb)
  MFC after:    3 weeks

Modified:
  head/etc/rc.d/sshd

Modified: head/etc/rc.d/sshd
==============================================================================
--- head/etc/rc.d/sshd  Sat Sep 21 21:03:52 2013        (r255765)
+++ head/etc/rc.d/sshd  Sat Sep 21 21:34:22 2013        (r255766)
@@ -14,80 +14,59 @@ rcvar="sshd_enable"
 command="/usr/sbin/${name}"
 keygen_cmd="sshd_keygen"
 start_precmd="sshd_precmd"
-reload_precmd="sshd_precmd"
-restart_precmd="sshd_precmd"
+reload_precmd="sshd_configtest"
+restart_precmd="sshd_configtest"
 configtest_cmd="sshd_configtest"
 pidfile="/var/run/${name}.pid"
 extra_commands="configtest keygen reload"
 
-timeout=300
+: ${sshd_rsa1_enable:="yes"}
+: ${sshd_rsa_enable:="yes"}
+: ${sshd_dsa_enable:="yes"}
+: ${sshd_ecdsa_enable:="yes"}
 
-user_reseed()
+sshd_keygen_alg()
 {
-       (
-       seeded=`sysctl -n kern.random.sys.seeded 2>/dev/null`
-       if [ "x${seeded}" != "x" ] && [ ${seeded} -eq 0 ] ; then
-               warn "Setting entropy source to blocking mode."
-               echo "===================================================="
-               echo "Type a full screenful of random junk to unblock"
-               echo "it and remember to finish with <enter>. This will"
-               echo "timeout in ${timeout} seconds, but waiting for"
-               echo "the timeout without typing junk may make the"
-               echo "entropy source deliver predictable output."
-               echo ""
-               echo "Just hit <enter> for fast+insecure startup."
-               echo "===================================================="
-               sysctl kern.random.sys.seeded=0 2>/dev/null
-               read -t ${timeout} junk
-               echo "${junk}" `sysctl -a` `date` > /dev/random
-       fi
-       )
-}
-
-sshd_keygen()
-{
-       (
-       umask 022
+       local alg=$1
+       local ALG="$(echo $alg | tr a-z A-Z)"
+       local keyfile
+
+       if ! checkyesno "sshd_${alg}_enable" ; then
+               return 0
+       fi
+
+       case $alg in
+       rsa1)
+               keyfile="/etc/ssh/ssh_host_key"
+               ;;
+       rsa|dsa|ecdsa)
+               keyfile="/etc/ssh/ssh_host_${alg}_key"
+               ;;
+       *)
+               return 1
+               ;;
+       esac
 
-       # Can't do anything if ssh is not installed
-       [ -x /usr/bin/ssh-keygen ] || {
+       if [ ! -x /usr/bin/ssh-keygen ] ; then
                warn "/usr/bin/ssh-keygen does not exist."
                return 1
-       }
-
-       if [ -f /etc/ssh/ssh_host_key ]; then
-               echo "You already have an RSA host key" \
-                   "in /etc/ssh/ssh_host_key"
-               echo "Skipping protocol version 1 RSA Key Generation"
-       else
-               /usr/bin/ssh-keygen -t rsa1 -b 1024 \
-                   -f /etc/ssh/ssh_host_key -N ''
        fi
 
-       if [ -f /etc/ssh/ssh_host_dsa_key ]; then
-               echo "You already have a DSA host key" \
-                   "in /etc/ssh/ssh_host_dsa_key"
-               echo "Skipping protocol version 2 DSA Key Generation"
+       if [ -f "${keyfile}" ] ; then
+               echo "$ALG host key exists."
        else
-               /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
-       fi
-
-       if [ -f /etc/ssh/ssh_host_rsa_key ]; then
-               echo "You already have an RSA host key" \
-                   "in /etc/ssh/ssh_host_rsa_key"
-               echo "Skipping protocol version 2 RSA Key Generation"
-       else
-               /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
+               echo "Generating $ALG host key."
+               /usr/bin/ssh-keygen -q -t $alg -f "$keyfile" -N ""
+               /usr/bin/ssh-keygen -l -f "$keyfile.pub"
        fi
+}
 
-       if [ -f /etc/ssh/ssh_host_ecdsa_key ]; then
-               echo "You already have an ECDSA host key" \
-                   "in /etc/ssh/ssh_host_ecdsa_key"
-               echo "Skipping protocol version 2 ECDSA Key Generation"
-       else
-               /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N 
''
-       fi
-       )
+sshd_keygen()
+{
+       sshd_keygen_alg rsa1
+       sshd_keygen_alg rsa
+       sshd_keygen_alg dsa
+       sshd_keygen_alg ecdsa
 }
 
 sshd_configtest()
@@ -98,14 +77,8 @@ sshd_configtest()
 
 sshd_precmd()
 {
-       if [ ! -f /etc/ssh/ssh_host_key -o \
-           ! -f /etc/ssh/ssh_host_dsa_key -o \
-           ! -f /etc/ssh/ssh_host_ecdsa_key -o \
-           ! -f /etc/ssh/ssh_host_rsa_key ]; then
-               user_reseed
-               run_rc_command keygen
-       fi
-       sshd_configtest
+       run_rc_command keygen
+       run_rc_command configtest
 }
 
 load_rc_config $name
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

svn commit: r255766 - head/etc/rc.d

Reply via email to