40DeleteSSHKeys.in 3.44 KB
Newer Older
1
#! /bin/bash
Nikos Skalkotos's avatar
Nikos Skalkotos committed
2

3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Copyright (C) 2011 GRNET S.A. 
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.

Nikos Skalkotos's avatar
Nikos Skalkotos committed
20
21
### BEGIN TASK INFO
# Provides:		DeleteSSHKeys
22
23
24
# RunBefore:            UmountImage
# RunAfter:             MountImage
# Short-Description:	Remove ssh keys and in some cases recreate them
25
### END TASK INFO
Nikos Skalkotos's avatar
Nikos Skalkotos committed
26
27

set -e
28
. "@commondir@/common.sh"
Nikos Skalkotos's avatar
Nikos Skalkotos committed
29

30
31
32
if [ ! -d "$SNF_IMAGE_TARGET" ]; then
    log_error "Target dir: \`$SNF_IMAGE_TARGET' is missing."
fi
Nikos Skalkotos's avatar
Nikos Skalkotos committed
33

34
if [ "$SNF_IMAGE_PROPERTY_OSFAMILY" != "linux" ]; then
35
36
37
38
39
40
41
42
43
44
    exit 0
fi

distro=$(get_base_distro "$SNF_IMAGE_TARGET")

HOST_KEY="/etc/ssh/ssh_host_key"
RSA_KEY="/etc/ssh/ssh_host_rsa_key"
DSA_KEY="/etc/ssh/ssh_host_dsa_key"
ECDSA_KEY="/etc/ssh/ssh_host_ecdsa_key"

45
target="$SNF_IMAGE_TARGET"
46
47
48
49
50
51
52
53
54
55
56

#Remove the default keys
for pair in "$HOST_KEY@rsa1" "$RSA_KEY@rsa" "$DSA_KEY@dsa" "$ECDSA_KEY@ecdsa"; do
    key=$(echo $pair | cut -d@ -f1)
    key_type=$(echo $pair | cut -d@ -f2)
    if [ -e "$target/$key" ]; then
        rm -f "$target/$key"{,.pub}
        if [ "x$distro" = "xdebian" ]; then
            chroot "$target" \
                env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
                ssh-keygen -t $key_type -q -N '' -f "$key"
57
        fi
58
59
60
    fi
done

61
config="$target/etc/ssh/sshd_config"
62
if [ ! -e "$config" ]; then
Nikos Skalkotos's avatar
Nikos Skalkotos committed
63
64
    warn "Config file: \`$config' is missing."
    warn "Can't check for non-default keys."
65
    exit 0
Nikos Skalkotos's avatar
Nikos Skalkotos committed
66
67
fi

68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# Remove non-default keys...
grep ^HostKey "$config" | while read key_line; do
    key=$(echo $key_line | cut -d" " -f2)
    if [ "$key" = $HOST_KEY -o "$key" = $RSA_KEY -o \
            "$key" = $DSA_KEY -o "$key" = $ECDSA_KEY ]; then
        continue;
    fi

    if [ "x$distro" = "xdebian" ]; then
        # Most distros recreate missing keys...debian complains
        type=""
        if [ -e "$target/$key" ]; then
            if grep -e "-----BEGIN DSA PRIVATE KEY-----" "$target/$key"; then
                type=dsa
            elif grep -e "-----BEGIN EC PRIVATE KEY-----" "$target/$key"; then
                type=ecdsa
            elif grep -e "-----BEGIN RSA PRIVATE KEY-----" "$target/$key"; then
                type=rsa
            elif grep -e "SSH PRIVATE KEY FILE FORMAT" "$target/$key"; then
                type=rsa1
            fi
        else # do some guessing...
            for i in rsa dsa ecdsa; do
                echo "$key" | grep _${i}_ && { type="$i"; break; }
            done
        fi
        if [ -z "$type" ]; then
            echo "Warning: Unknown key type. I'll use \`rsa1'";
            type=rsa1
        fi

        rm -f "$target/$key"{,.pub}
        chroot "$target" \
            env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
            ssh-keygen -t $type -q -N '' -f "$key"
    else
        rm -f "$target/$key"{,.pub}
    fi
done

Nikos Skalkotos's avatar
Nikos Skalkotos committed
108
109
110
exit 0

# vim: set sta sts=4 shiftwidth=4 sw=4 et ai :