40DeleteSSHKeys.in 2.74 KB
Newer Older
1
#! /bin/bash
Nikos Skalkotos's avatar
Nikos Skalkotos committed
2
3
4

### BEGIN TASK INFO
# Provides:		DeleteSSHKeys
5
6
7
# RunBefore:            UmountImage
# RunAfter:             MountImage
# Short-Description:	Remove ssh keys and in some cases recreate them
8
### END TASK INFO
Nikos Skalkotos's avatar
Nikos Skalkotos committed
9
10

set -e
11
. "@commondir@/common.sh"
Nikos Skalkotos's avatar
Nikos Skalkotos committed
12

13
14
15
if [ ! -d "$SNF_IMAGE_TARGET" ]; then
    log_error "Target dir: \`$SNF_IMAGE_TARGET' is missing."
fi
Nikos Skalkotos's avatar
Nikos Skalkotos committed
16

17
if [ "$SNF_IMAGE_PROPERTY_OSFAMILY" != "linux" ]; then
18
19
20
21
22
23
24
25
26
27
    exit 0
fi

distro=$(get_base_distro "$SNF_IMAGE_TARGET")

HOST_KEY="/etc/ssh/ssh_host_key"
RSA_KEY="/etc/ssh/ssh_host_rsa_key"
DSA_KEY="/etc/ssh/ssh_host_dsa_key"
ECDSA_KEY="/etc/ssh/ssh_host_ecdsa_key"

28
target="$SNF_IMAGE_TARGET"
29
30
31
32
33
34
35
36
37
38
39

#Remove the default keys
for pair in "$HOST_KEY@rsa1" "$RSA_KEY@rsa" "$DSA_KEY@dsa" "$ECDSA_KEY@ecdsa"; do
    key=$(echo $pair | cut -d@ -f1)
    key_type=$(echo $pair | cut -d@ -f2)
    if [ -e "$target/$key" ]; then
        rm -f "$target/$key"{,.pub}
        if [ "x$distro" = "xdebian" ]; then
            chroot "$target" \
                env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
                ssh-keygen -t $key_type -q -N '' -f "$key"
40
        fi
41
42
43
    fi
done

44
config="$target/etc/ssh/sshd_config"
45
if [ ! -e "$config" ]; then
46
47
48
    echo "Warning: Config file: \`$config' is missing."
    echo "Warning: Can't check for non-default keys."
    exit 0
Nikos Skalkotos's avatar
Nikos Skalkotos committed
49
50
fi

51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Remove non-default keys...
grep ^HostKey "$config" | while read key_line; do
    key=$(echo $key_line | cut -d" " -f2)
    if [ "$key" = $HOST_KEY -o "$key" = $RSA_KEY -o \
            "$key" = $DSA_KEY -o "$key" = $ECDSA_KEY ]; then
        continue;
    fi

    if [ "x$distro" = "xdebian" ]; then
        # Most distros recreate missing keys...debian complains
        type=""
        if [ -e "$target/$key" ]; then
            if grep -e "-----BEGIN DSA PRIVATE KEY-----" "$target/$key"; then
                type=dsa
            elif grep -e "-----BEGIN EC PRIVATE KEY-----" "$target/$key"; then
                type=ecdsa
            elif grep -e "-----BEGIN RSA PRIVATE KEY-----" "$target/$key"; then
                type=rsa
            elif grep -e "SSH PRIVATE KEY FILE FORMAT" "$target/$key"; then
                type=rsa1
            fi
        else # do some guessing...
            for i in rsa dsa ecdsa; do
                echo "$key" | grep _${i}_ && { type="$i"; break; }
            done
        fi
        if [ -z "$type" ]; then
            echo "Warning: Unknown key type. I'll use \`rsa1'";
            type=rsa1
        fi

        rm -f "$target/$key"{,.pub}
        chroot "$target" \
            env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
            ssh-keygen -t $type -q -N '' -f "$key"
    else
        rm -f "$target/$key"{,.pub}
    fi
done

Nikos Skalkotos's avatar
Nikos Skalkotos committed
91
92
93
exit 0

# vim: set sta sts=4 shiftwidth=4 sw=4 et ai :