[src/trunk]: src/etc/rc.d If key generation happens with not enough entropy i...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/etc/rc.d If key generation happens with not enough entropy i...
From: martin <martin%NetBSD.org@localhost>
Date: Sun, 26 Sep 2021 14:22:07 +0000

details:   https://anonhg.NetBSD.org/src/rev/dc07efb8e630
branches:  trunk
changeset: 987420:dc07efb8e630
user:      martin <martin%NetBSD.org@localhost>
date:      Sun Sep 26 10:53:20 2021 +0000

description:
If key generation happens with not enough entropy in the system, add
a warning to motd pointing at entropy(7) and give instructions how to
re-generate the (weak) keys after fixing up entropy.

Add a "keyregen" command, which forces regeneration of all host keys
to simplify the replacement of weak keys.

diffstat:

 etc/rc.d/sshd |  34 +++++++++++++++++++++++++++++++---
 1 files changed, 31 insertions(+), 3 deletions(-)

diffs (73 lines):

diff -r bc0b62076b5b -r dc07efb8e630 etc/rc.d/sshd
--- a/etc/rc.d/sshd     Sun Sep 26 09:58:13 2021 +0000
+++ b/etc/rc.d/sshd     Sun Sep 26 10:53:20 2021 +0000
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $NetBSD: sshd,v 1.30 2019/10/23 14:45:38 christos Exp $
+# $NetBSD: sshd,v 1.31 2021/09/26 10:53:20 martin Exp $
 #
 
 # PROVIDE: sshd
@@ -13,7 +13,32 @@
 command="/usr/sbin/${name}"
 pidfile="/var/run/${name}.pid"
 required_files="/etc/ssh/sshd_config"
-extra_commands="keygen reload"
+extra_commands="keygen keyregen reload"
+
+sshd_motd_unsafe_keys_warning()
+{
+(
+       umask 022
+       T=/etc/_motd
+       sed -E '/^-- UNSAFE KEYS WARNING:/,$d' < /etc/motd > $T
+       if [ $( sysctl -n kern.entropy.needed ) -ne 0 ]; then
+               cat >> $T << _EOF
+-- UNSAFE KEYS WARNING:
+
+       The ssh host keys on this machine have been generated with
+       not enough entropy configured, so may be predictable.
+
+       To fix, follow the "Adding entropy" section in the entropy(7)
+       man page and after this machine has enough entropy, re-generate
+       the ssh host keys by running:
+
+               sh /etc/rc.d/sshd keyregen
+_EOF
+       fi
+       cmp -s $T /etc/motd || cp $T /etc/motd
+       rm -f $T
+)
+}
 
 sshd_keygen()
 {
@@ -22,9 +47,10 @@
        umask 022
        while read type bits filename;  do
                f="/etc/ssh/$filename"
-               if [ -f "$f" ]; then
+               if [ "$1" != "force" ] && [ -f "$f" ]; then
                        continue
                fi
+               rm -f "$f"
                case "${bits}" in
                -1)     bitarg=;;
                0)      bitarg="${ssh_keygen_flags}";;
@@ -39,6 +65,7 @@
 rsa    0       ssh_host_rsa_key
 _EOF
 )
+       sshd_motd_unsafe_keys_warning
 }
 
 sshd_precmd()
@@ -47,6 +74,7 @@
 }
 
 keygen_cmd=sshd_keygen
+keyregen_cmd="sshd_keygen force"
 start_precmd=sshd_precmd
 
 load_rc_config $name

Prev by Date: [src/trunk]: src/sys/arch/aarch64/aarch64 Use UVMHIST_CALLARGS
Next by Date: [src/trunk]: src/share/man/man8 Update remarks on Linux-flavored procfs.
Previous by Thread: [src/trunk]: src/sys/arch/aarch64/aarch64 Use UVMHIST_CALLARGS
Next by Thread: [src/trunk]: src/share/man/man8 Update remarks on Linux-flavored procfs.
Indexes:

Home | Main Index | Thread Index | Old Index