40DeleteSSHKeys.in 2.65 KB
Newer Older
1
#! /bin/bash
Nikos Skalkotos's avatar
Nikos Skalkotos committed
2
3
4

### BEGIN TASK INFO
# Provides:		DeleteSSHKeys
Nikos Skalkotos's avatar
Nikos Skalkotos committed
5
# Requires:             MountImage
Nikos Skalkotos's avatar
Nikos Skalkotos committed
6
# Short-Description:	Remove ssh keys if present.
7
### END TASK INFO
Nikos Skalkotos's avatar
Nikos Skalkotos committed
8
9

set -e
10
. "@commondir@/common.sh"
Nikos Skalkotos's avatar
Nikos Skalkotos committed
11

12
13
14
if [ ! -d "$SNF_IMAGE_TARGET" ]; then
    log_error "Target dir: \`$SNF_IMAGE_TARGET' is missing."
fi
Nikos Skalkotos's avatar
Nikos Skalkotos committed
15

16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
target="$SNF_IMAGE_TARGET"

if [ "$SNF_IMAGE_TYPE" != "extdump" ]; then
    cleanup
    trap - EXIT
    exit 0
fi

distro=$(get_base_distro "$SNF_IMAGE_TARGET")

HOST_KEY="/etc/ssh/ssh_host_key"
RSA_KEY="/etc/ssh/ssh_host_rsa_key"
DSA_KEY="/etc/ssh/ssh_host_dsa_key"
ECDSA_KEY="/etc/ssh/ssh_host_ecdsa_key"


#Remove the default keys
for pair in "$HOST_KEY@rsa1" "$RSA_KEY@rsa" "$DSA_KEY@dsa" "$ECDSA_KEY@ecdsa"; do
    key=$(echo $pair | cut -d@ -f1)
    key_type=$(echo $pair | cut -d@ -f2)
    if [ -e "$target/$key" ]; then
        rm -f "$target/$key"{,.pub}
        if [ "x$distro" = "xdebian" ]; then
            chroot "$target" \
                env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
                ssh-keygen -t $key_type -q -N '' -f "$key"
42
        fi
43
44
45
46
47
48
    fi
done

config="$target/etc/ssh/sshd_config" 
if [ ! -e "$config" ]; then
    log_error "Config file: \`$config' is missing."
Nikos Skalkotos's avatar
Nikos Skalkotos committed
49
50
fi

51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Remove non-default keys...
grep ^HostKey "$config" | while read key_line; do
    key=$(echo $key_line | cut -d" " -f2)
    if [ "$key" = $HOST_KEY -o "$key" = $RSA_KEY -o \
            "$key" = $DSA_KEY -o "$key" = $ECDSA_KEY ]; then
        continue;
    fi

    if [ "x$distro" = "xdebian" ]; then
        # Most distros recreate missing keys...debian complains
        type=""
        if [ -e "$target/$key" ]; then
            if grep -e "-----BEGIN DSA PRIVATE KEY-----" "$target/$key"; then
                type=dsa
            elif grep -e "-----BEGIN EC PRIVATE KEY-----" "$target/$key"; then
                type=ecdsa
            elif grep -e "-----BEGIN RSA PRIVATE KEY-----" "$target/$key"; then
                type=rsa
            elif grep -e "SSH PRIVATE KEY FILE FORMAT" "$target/$key"; then
                type=rsa1
            fi
        else # do some guessing...
            for i in rsa dsa ecdsa; do
                echo "$key" | grep _${i}_ && { type="$i"; break; }
            done
        fi
        if [ -z "$type" ]; then
            echo "Warning: Unknown key type. I'll use \`rsa1'";
            type=rsa1
        fi

        rm -f "$target/$key"{,.pub}
        chroot "$target" \
            env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
            ssh-keygen -t $type -q -N '' -f "$key"
    else
        rm -f "$target/$key"{,.pub}
    fi
done

Nikos Skalkotos's avatar
Nikos Skalkotos committed
91
92
93
94
95
96
cleanup
trap - EXIT

exit 0

# vim: set sta sts=4 shiftwidth=4 sw=4 et ai :