40DeleteSSHKeys.in 3.59 KB
Newer Older
1
#! /bin/bash
Nikos Skalkotos's avatar
Nikos Skalkotos committed
2

3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Copyright (C) 2011 GRNET S.A. 
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.

Nikos Skalkotos's avatar
Nikos Skalkotos committed
20
21
### BEGIN TASK INFO
# Provides:		DeleteSSHKeys
22
23
24
# RunBefore:            UmountImage
# RunAfter:             MountImage
# Short-Description:	Remove ssh keys and in some cases recreate them
25
### END TASK INFO
Nikos Skalkotos's avatar
Nikos Skalkotos committed
26
27

set -e
28
. "@commondir@/common.sh"
Nikos Skalkotos's avatar
Nikos Skalkotos committed
29

30
31
32
# Check if the task should be prevented from running.
check_if_excluded

33
34
35
if [ ! -d "$SNF_IMAGE_TARGET" ]; then
    log_error "Target dir: \`$SNF_IMAGE_TARGET' is missing."
fi
Nikos Skalkotos's avatar
Nikos Skalkotos committed
36

37
if [ "$SNF_IMAGE_PROPERTY_OSFAMILY" != "linux" ]; then
38
39
40
41
42
43
44
45
46
47
    exit 0
fi

distro=$(get_base_distro "$SNF_IMAGE_TARGET")

HOST_KEY="/etc/ssh/ssh_host_key"
RSA_KEY="/etc/ssh/ssh_host_rsa_key"
DSA_KEY="/etc/ssh/ssh_host_dsa_key"
ECDSA_KEY="/etc/ssh/ssh_host_ecdsa_key"

48
target="$SNF_IMAGE_TARGET"
49
50
51
52
53
54
55
56
57
58
59

#Remove the default keys
for pair in "$HOST_KEY@rsa1" "$RSA_KEY@rsa" "$DSA_KEY@dsa" "$ECDSA_KEY@ecdsa"; do
    key=$(echo $pair | cut -d@ -f1)
    key_type=$(echo $pair | cut -d@ -f2)
    if [ -e "$target/$key" ]; then
        rm -f "$target/$key"{,.pub}
        if [ "x$distro" = "xdebian" ]; then
            chroot "$target" \
                env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
                ssh-keygen -t $key_type -q -N '' -f "$key"
60
        fi
61
62
63
    fi
done

64
config="$target/etc/ssh/sshd_config"
65
if [ ! -e "$config" ]; then
Nikos Skalkotos's avatar
Nikos Skalkotos committed
66
67
    warn "Config file: \`$config' is missing."
    warn "Can't check for non-default keys."
68
    exit 0
Nikos Skalkotos's avatar
Nikos Skalkotos committed
69
70
fi

71
# Remove non-default keys...
72
grep ^HostKey "$config" || true | while read key_line; do
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
    key=$(echo $key_line | cut -d" " -f2)
    if [ "$key" = $HOST_KEY -o "$key" = $RSA_KEY -o \
            "$key" = $DSA_KEY -o "$key" = $ECDSA_KEY ]; then
        continue;
    fi

    if [ "x$distro" = "xdebian" ]; then
        # Most distros recreate missing keys...debian complains
        type=""
        if [ -e "$target/$key" ]; then
            if grep -e "-----BEGIN DSA PRIVATE KEY-----" "$target/$key"; then
                type=dsa
            elif grep -e "-----BEGIN EC PRIVATE KEY-----" "$target/$key"; then
                type=ecdsa
            elif grep -e "-----BEGIN RSA PRIVATE KEY-----" "$target/$key"; then
                type=rsa
            elif grep -e "SSH PRIVATE KEY FILE FORMAT" "$target/$key"; then
                type=rsa1
            fi
        else # do some guessing...
            for i in rsa dsa ecdsa; do
94
95
96
97
                if echo "$key" | grep _${i}_ > /dev/null; then
                    type="$i";
                    break;
                fi
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
            done
        fi
        if [ -z "$type" ]; then
            echo "Warning: Unknown key type. I'll use \`rsa1'";
            type=rsa1
        fi

        rm -f "$target/$key"{,.pub}
        chroot "$target" \
            env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
            ssh-keygen -t $type -q -N '' -f "$key"
    else
        rm -f "$target/$key"{,.pub}
    fi
done

Nikos Skalkotos's avatar
Nikos Skalkotos committed
114
115
116
exit 0

# vim: set sta sts=4 shiftwidth=4 sw=4 et ai :