From 00c7b7543973f237b79ee87ca697c08b71954d35 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 16 Mar 2016 09:57:22 +0100 Subject: [PATCH] Make sshd-keygen comply with packaging guidelines (#1325535) --- openssh.spec | 10 +-- sshd-keygen | 198 ++++++++----------------------------------- sshd-keygen.service | 11 --- sshd-keygen@.service | 9 ++ sshd.service | 4 +- sshd.sysconfig | 8 +- 6 files changed, 54 insertions(+), 186 deletions(-) delete mode 100644 sshd-keygen.service create mode 100644 sshd-keygen@.service diff --git a/openssh.spec b/openssh.spec index ecbea54..e8e202c 100644 --- a/openssh.spec +++ b/openssh.spec @@ -87,7 +87,7 @@ Source7: sshd.sysconfig Source9: sshd@.service Source10: sshd.socket Source11: sshd.service -Source12: sshd-keygen.service +Source12: sshd-keygen@.service Source13: sshd-keygen Source14: sshd.tmpfiles @@ -645,12 +645,12 @@ install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd -install -m755 %{SOURCE13} $RPM_BUILD_ROOT/%{_sbindir}/sshd-keygen install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service -install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.service +install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service +install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf @@ -757,9 +757,9 @@ getent passwd sshd >/dev/null || \ %files server %dir %attr(0711,root,root) %{_var}/empty/sshd %attr(0755,root,root) %{_sbindir}/sshd -%attr(0755,root,root) %{_sbindir}/sshd-keygen %attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server +%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen %attr(0644,root,root) %{_mandir}/man5/sshd_config.5* %attr(0644,root,root) %{_mandir}/man5/moduli.5* %attr(0644,root,root) %{_mandir}/man8/sshd.8* @@ -770,7 +770,7 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_unitdir}/sshd.service %attr(0644,root,root) %{_unitdir}/sshd@.service %attr(0644,root,root) %{_unitdir}/sshd.socket -%attr(0644,root,root) %{_unitdir}/sshd-keygen.service +%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service %attr(0644,root,root) %{_tmpfilesdir}/openssh.conf %endif diff --git a/sshd-keygen b/sshd-keygen index 78da730..141814c 100644 --- a/sshd-keygen +++ b/sshd-keygen @@ -1,168 +1,40 @@ #!/bin/bash # Create the host keys for the OpenSSH server. -# -# The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment -# variable. -AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519" - -if [ -f /etc/rc.d/init.d/functions ]; then - # source function library - . /etc/rc.d/init.d/functions -else - # minimal implimantation of success and failure function - success() - { - echo -en $"[ OK ]\r" - return 0 - } - failure() - { - echo -en $"[FAILED]\r" - return 1 - } -fi - -# Some functions to make the below more readable -KEYGEN=/usr/bin/ssh-keygen -RSA1_KEY=/etc/ssh/ssh_host_key -RSA_KEY=/etc/ssh/ssh_host_rsa_key -DSA_KEY=/etc/ssh/ssh_host_dsa_key -ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key -ED25519_KEY=/etc/ssh/ssh_host_ed25519_key - -# pull in sysconfig settings -[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd - -fips_enabled() { - if [ -r /proc/sys/crypto/fips_enabled ]; then - cat /proc/sys/crypto/fips_enabled - else - echo 0 - fi -} - -do_rsa1_keygen() { - if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then - echo -n $"Generating SSH1 RSA host key: " - rm -f $RSA1_KEY - if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then - chgrp ssh_keys $RSA1_KEY - chmod 640 $RSA1_KEY - chmod 644 $RSA1_KEY.pub - if [ -x /sbin/restorecon ]; then - /sbin/restorecon $RSA1_KEY{,.pub} - fi - success $"RSA1 key generation" - echo - else - failure $"RSA1 key generation" - echo - exit 1 - fi - fi -} - -do_rsa_keygen() { - if [ ! -s $RSA_KEY ]; then - echo -n $"Generating SSH2 RSA host key: " - rm -f $RSA_KEY - if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then - chgrp ssh_keys $RSA_KEY - chmod 640 $RSA_KEY - chmod 644 $RSA_KEY.pub - if [ -x /sbin/restorecon ]; then - /sbin/restorecon $RSA_KEY{,.pub} - fi - success $"RSA key generation" - echo - else - failure $"RSA key generation" - echo - exit 1 - fi - fi -} - -do_dsa_keygen() { - if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then - echo -n $"Generating SSH2 DSA host key: " - rm -f $DSA_KEY - if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then - chgrp ssh_keys $DSA_KEY - chmod 640 $DSA_KEY - chmod 644 $DSA_KEY.pub - if [ -x /sbin/restorecon ]; then - /sbin/restorecon $DSA_KEY{,.pub} - fi - success $"DSA key generation" - echo - else - failure $"DSA key generation" - echo - exit 1 - fi - fi -} - -do_ecdsa_keygen() { - if [ ! -s $ECDSA_KEY ]; then - echo -n $"Generating SSH2 ECDSA host key: " - rm -f $ECDSA_KEY - if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then - chgrp ssh_keys $ECDSA_KEY - chmod 640 $ECDSA_KEY - chmod 644 $ECDSA_KEY.pub - if [ -x /sbin/restorecon ]; then - /sbin/restorecon $ECDSA_KEY{,.pub} - fi - success $"ECDSA key generation" - echo - else - failure $"ECDSA key generation" - echo - exit 1 - fi - fi -} - -do_ed25519_keygen() { - if [ ! -s $ED25519_KEY -a `fips_enabled` -eq 0 ]; then - echo -n $"Generating SSH2 ED25519 host key: " - rm -f $ED25519_KEY - if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then - chgrp ssh_keys $ED25519_KEY - chmod 640 $ED25519_KEY - chmod 644 $ED25519_KEY.pub - if [ -x /sbin/restorecon ]; then - /sbin/restorecon $ED25519_KEY{,.pub} - fi - success $"ED25519 key generation" - echo - else - failure $"ED25519 key generation" - echo - exit 1 - fi - fi -} - -if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then - exit 0 -fi - -# legacy options -case $AUTOCREATE_SERVER_KEYS in - NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";; - RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";; - YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";; +KEYTYPE=$1 +case $KEYTYPE in + "dsa") ;& # disabled in FIPS + "ed25519") + FIPS=/proc/sys/crypto/fips_enabled + if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then + exit 0 + fi ;; + "rsa") ;; # always ok + "ecdsa") ;; + *) # wrong argument + exit 12 ;; esac +KEY=/etc/ssh/ssh_host_${KEYTYPE}_key -for KEY in $AUTOCREATE_SERVER_KEYS; do - case $KEY in - DSA) do_dsa_keygen;; - RSA) do_rsa_keygen;; - ECDSA) do_ecdsa_keygen;; - ED25519) do_ed25519_keygen;; - esac -done +KEYGEN=/usr/bin/ssh-keygen +if [[ ! -x $KEYGEN ]]; then + exit 13 +fi + +# remove old keys +rm -f $KEY{,.pub} + +# create new keys +if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then + exit 1 +fi + +# sanitize permissions +/usr/bin/chgrp ssh_keys $KEY +/usr/bin/chmod 640 $KEY +/usr/bin/chmod 644 $KEY.pub +if [[ -x /usr/sbin/restorecon ]]; then + /usr/sbin/restorecon $KEY{,.pub} +fi + +exit 0 diff --git a/sshd-keygen.service b/sshd-keygen.service deleted file mode 100644 index 77cffeb..0000000 --- a/sshd-keygen.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=OpenSSH Server Key Generation -ConditionFileNotEmpty=|!/etc/ssh/ssh_host_rsa_key -ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ecdsa_key -ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ed25519_key -PartOf=sshd.service sshd.socket - -[Service] -ExecStart=/usr/sbin/sshd-keygen -Type=oneshot -RemainAfterExit=yes diff --git a/sshd-keygen@.service b/sshd-keygen@.service new file mode 100644 index 0000000..7a7a8f8 --- /dev/null +++ b/sshd-keygen@.service @@ -0,0 +1,9 @@ +[Unit] +Description=OpenSSH %i Server Key Generation +ConditionFileNotEmpty=|!/etc/ssh/ssh_host_%i_key +Before=sshd.service + +[Service] +Type=oneshot +EnvironmentFile=-/etc/sysconfig/sshd +ExecStart=/usr/libexec/openssh/sshd-keygen %i diff --git a/sshd.service b/sshd.service index 825a931..c882eef 100644 --- a/sshd.service +++ b/sshd.service @@ -2,7 +2,9 @@ Description=OpenSSH server daemon Documentation=man:sshd(8) man:sshd_config(5) After=network.target sshd-keygen.service -Wants=sshd-keygen.service +Wants=sshd-keygen@rsa.service +Wants=sshd-keygen@ecdsa.service +Wants=sshd-keygen@ed25519.service [Service] Type=forking diff --git a/sshd.sysconfig b/sshd.sysconfig index e666ab9..7a0f4d2 100644 --- a/sshd.sysconfig +++ b/sshd.sysconfig @@ -1,12 +1,8 @@ # Configuration file for the sshd service. # The server keys are automatically generated if they are missing. -# To change the automatic creation uncomment and change the appropriate -# line. Accepted key types are: DSA RSA ECDSA ED25519. -# The default is "RSA ECDSA ED25519" - -# AUTOCREATE_SERVER_KEYS="" -# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519" +# To change the automatic creation, adjust sshd.service options for +# example using systemctl enable sshd-config@dsa.service for DSA keys # Do not change this option unless you have hardware random # generator and you REALLY know what you are doing