40DeleteSSHKeys.in 3.51 KB
Newer Older
1
#! /bin/bash
Nikos Skalkotos's avatar
Nikos Skalkotos committed
2

3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Copyright (C) 2011 GRNET S.A. 
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.

Nikos Skalkotos's avatar
Nikos Skalkotos committed
20
21
### BEGIN TASK INFO
# Provides:		DeleteSSHKeys
22
23
24
# RunBefore:            UmountImage
# RunAfter:             MountImage
# Short-Description:	Remove ssh keys and in some cases recreate them
25
### END TASK INFO
Nikos Skalkotos's avatar
Nikos Skalkotos committed
26
27

set -e
28
. "@commondir@/common.sh"
Nikos Skalkotos's avatar
Nikos Skalkotos committed
29

30
31
32
# Check if the task should be prevented from running.
check_if_excluded

33
34
35
if [ ! -d "$SNF_IMAGE_TARGET" ]; then
    log_error "Target dir: \`$SNF_IMAGE_TARGET' is missing."
fi
Nikos Skalkotos's avatar
Nikos Skalkotos committed
36

37
if [ "$SNF_IMAGE_PROPERTY_OSFAMILY" != "linux" ]; then
38
39
40
41
42
43
44
45
46
47
    exit 0
fi

distro=$(get_base_distro "$SNF_IMAGE_TARGET")

HOST_KEY="/etc/ssh/ssh_host_key"
RSA_KEY="/etc/ssh/ssh_host_rsa_key"
DSA_KEY="/etc/ssh/ssh_host_dsa_key"
ECDSA_KEY="/etc/ssh/ssh_host_ecdsa_key"

48
target="$SNF_IMAGE_TARGET"
49
50
51
52
53
54
55
56
57
58
59

#Remove the default keys
for pair in "$HOST_KEY@rsa1" "$RSA_KEY@rsa" "$DSA_KEY@dsa" "$ECDSA_KEY@ecdsa"; do
    key=$(echo $pair | cut -d@ -f1)
    key_type=$(echo $pair | cut -d@ -f2)
    if [ -e "$target/$key" ]; then
        rm -f "$target/$key"{,.pub}
        if [ "x$distro" = "xdebian" ]; then
            chroot "$target" \
                env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
                ssh-keygen -t $key_type -q -N '' -f "$key"
60
        fi
61
62
63
    fi
done

64
config="$target/etc/ssh/sshd_config"
65
if [ ! -e "$config" ]; then
Nikos Skalkotos's avatar
Nikos Skalkotos committed
66
67
    warn "Config file: \`$config' is missing."
    warn "Can't check for non-default keys."
68
    exit 0
Nikos Skalkotos's avatar
Nikos Skalkotos committed
69
70
fi

71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# Remove non-default keys...
grep ^HostKey "$config" | while read key_line; do
    key=$(echo $key_line | cut -d" " -f2)
    if [ "$key" = $HOST_KEY -o "$key" = $RSA_KEY -o \
            "$key" = $DSA_KEY -o "$key" = $ECDSA_KEY ]; then
        continue;
    fi

    if [ "x$distro" = "xdebian" ]; then
        # Most distros recreate missing keys...debian complains
        type=""
        if [ -e "$target/$key" ]; then
            if grep -e "-----BEGIN DSA PRIVATE KEY-----" "$target/$key"; then
                type=dsa
            elif grep -e "-----BEGIN EC PRIVATE KEY-----" "$target/$key"; then
                type=ecdsa
            elif grep -e "-----BEGIN RSA PRIVATE KEY-----" "$target/$key"; then
                type=rsa
            elif grep -e "SSH PRIVATE KEY FILE FORMAT" "$target/$key"; then
                type=rsa1
            fi
        else # do some guessing...
            for i in rsa dsa ecdsa; do
                echo "$key" | grep _${i}_ && { type="$i"; break; }
            done
        fi
        if [ -z "$type" ]; then
            echo "Warning: Unknown key type. I'll use \`rsa1'";
            type=rsa1
        fi

        rm -f "$target/$key"{,.pub}
        chroot "$target" \
            env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
            ssh-keygen -t $type -q -N '' -f "$key"
    else
        rm -f "$target/$key"{,.pub}
    fi
done

Nikos Skalkotos's avatar
Nikos Skalkotos committed
111
112
113
exit 0

# vim: set sta sts=4 shiftwidth=4 sw=4 et ai :