diff options
author | des <des@FreeBSD.org> | 2013-09-21 21:34:22 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2013-09-21 21:34:22 +0000 |
commit | 3e16db31d109ec87db0aa5d7fcd63e93398259d4 (patch) | |
tree | f28ba06621a6fb8930b31bb6409289a5e2382fca | |
parent | b4fc46964b2d3d8a8685e2629da09f13748dd548 (diff) | |
download | FreeBSD-src-3e16db31d109ec87db0aa5d7fcd63e93398259d4.zip FreeBSD-src-3e16db31d109ec87db0aa5d7fcd63e93398259d4.tar.gz |
Ditch the random seeding code, which never really worked as intended.
Add config variables to enable / disable individual host key algorithms.
Clean up the host key generation code.
Approved by: re (gjb)
MFC after: 3 weeks
-rwxr-xr-x | etc/rc.d/sshd | 105 |
1 files changed, 39 insertions, 66 deletions
diff --git a/etc/rc.d/sshd b/etc/rc.d/sshd index 490a1c7..0167789 100755 --- a/etc/rc.d/sshd +++ b/etc/rc.d/sshd @@ -14,80 +14,59 @@ rcvar="sshd_enable" command="/usr/sbin/${name}" keygen_cmd="sshd_keygen" start_precmd="sshd_precmd" -reload_precmd="sshd_precmd" -restart_precmd="sshd_precmd" +reload_precmd="sshd_configtest" +restart_precmd="sshd_configtest" configtest_cmd="sshd_configtest" pidfile="/var/run/${name}.pid" extra_commands="configtest keygen reload" -timeout=300 +: ${sshd_rsa1_enable:="yes"} +: ${sshd_rsa_enable:="yes"} +: ${sshd_dsa_enable:="yes"} +: ${sshd_ecdsa_enable:="yes"} -user_reseed() +sshd_keygen_alg() { - ( - seeded=`sysctl -n kern.random.sys.seeded 2>/dev/null` - if [ "x${seeded}" != "x" ] && [ ${seeded} -eq 0 ] ; then - warn "Setting entropy source to blocking mode." - echo "====================================================" - echo "Type a full screenful of random junk to unblock" - echo "it and remember to finish with <enter>. This will" - echo "timeout in ${timeout} seconds, but waiting for" - echo "the timeout without typing junk may make the" - echo "entropy source deliver predictable output." - echo "" - echo "Just hit <enter> for fast+insecure startup." - echo "====================================================" - sysctl kern.random.sys.seeded=0 2>/dev/null - read -t ${timeout} junk - echo "${junk}" `sysctl -a` `date` > /dev/random + local alg=$1 + local ALG="$(echo $alg | tr a-z A-Z)" + local keyfile + + if ! checkyesno "sshd_${alg}_enable" ; then + return 0 fi - ) -} -sshd_keygen() -{ - ( - umask 022 + case $alg in + rsa1) + keyfile="/etc/ssh/ssh_host_key" + ;; + rsa|dsa|ecdsa) + keyfile="/etc/ssh/ssh_host_${alg}_key" + ;; + *) + return 1 + ;; + esac - # Can't do anything if ssh is not installed - [ -x /usr/bin/ssh-keygen ] || { + if [ ! -x /usr/bin/ssh-keygen ] ; then warn "/usr/bin/ssh-keygen does not exist." return 1 - } - - if [ -f /etc/ssh/ssh_host_key ]; then - echo "You already have an RSA host key" \ - "in /etc/ssh/ssh_host_key" - echo "Skipping protocol version 1 RSA Key Generation" - else - /usr/bin/ssh-keygen -t rsa1 -b 1024 \ - -f /etc/ssh/ssh_host_key -N '' - fi - - if [ -f /etc/ssh/ssh_host_dsa_key ]; then - echo "You already have a DSA host key" \ - "in /etc/ssh/ssh_host_dsa_key" - echo "Skipping protocol version 2 DSA Key Generation" - else - /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' fi - if [ -f /etc/ssh/ssh_host_rsa_key ]; then - echo "You already have an RSA host key" \ - "in /etc/ssh/ssh_host_rsa_key" - echo "Skipping protocol version 2 RSA Key Generation" + if [ -f "${keyfile}" ] ; then + echo "$ALG host key exists." else - /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' + echo "Generating $ALG host key." + /usr/bin/ssh-keygen -q -t $alg -f "$keyfile" -N "" + /usr/bin/ssh-keygen -l -f "$keyfile.pub" fi +} - if [ -f /etc/ssh/ssh_host_ecdsa_key ]; then - echo "You already have an ECDSA host key" \ - "in /etc/ssh/ssh_host_ecdsa_key" - echo "Skipping protocol version 2 ECDSA Key Generation" - else - /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N '' - fi - ) +sshd_keygen() +{ + sshd_keygen_alg rsa1 + sshd_keygen_alg rsa + sshd_keygen_alg dsa + sshd_keygen_alg ecdsa } sshd_configtest() @@ -98,14 +77,8 @@ sshd_configtest() sshd_precmd() { - if [ ! -f /etc/ssh/ssh_host_key -o \ - ! -f /etc/ssh/ssh_host_dsa_key -o \ - ! -f /etc/ssh/ssh_host_ecdsa_key -o \ - ! -f /etc/ssh/ssh_host_rsa_key ]; then - user_reseed - run_rc_command keygen - fi - sshd_configtest + run_rc_command keygen + run_rc_command configtest } load_rc_config $name |