dropbear: adjust failsafe script
- try to detect supported (hostkey) algorithms; otherwise fallback to predefined list; - remove size constraint for ECDSA: custom build may include only 384 or 521 bit curves; - remove size constraint for RSA: default RSA key size is 2048 bits which is sufficient for SSH security recommendations, and previous value of 1024 bits is considered insecure. Signed-off-by: Konstantin Demin <rockdrilla@gmail.com> Link: https://github.com/openwrt/openwrt/pull/23217 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit is contained in:
Konstantin Demin
Hauke Mehrtens
parent
6126cfbba9
commit
04ea7ca42f
@ -1,53 +1,55 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
_dropbear()
|
db_key_quiet() { dropbearkey "$@" </dev/null >/dev/null 2>&1 ; }
|
||||||
{
|
db_key_types_int() {
|
||||||
/usr/sbin/dropbear "$@" </dev/null >/dev/null 2>&1
|
dropbearkey -h </dev/null 2>&1 \
|
||||||
|
| sed -En '/^\s*-t/,/^\s*-/p' \
|
||||||
|
| sed -En '/^\s*-/n;p'
|
||||||
|
}
|
||||||
|
db_key_types() {
|
||||||
|
normalize_list "$(db_key_types_int)"
|
||||||
}
|
}
|
||||||
|
|
||||||
_dropbearkey()
|
db_key_ensure()
|
||||||
{
|
{
|
||||||
/usr/bin/dropbearkey "$@" </dev/null >/dev/null 2>&1
|
db_key_quiet -y -f "$1" && return
|
||||||
}
|
|
||||||
|
|
||||||
_ensurekey()
|
|
||||||
{
|
|
||||||
_dropbearkey -y -f "$1" && return
|
|
||||||
rm -f "$1"
|
rm -f "$1"
|
||||||
_dropbearkey -f "$@" || {
|
db_key_quiet -f "$@" || {
|
||||||
rm -f "$1"
|
rm -f "$1"
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ktype_all='ed25519 ecdsa rsa'
|
# $1 - list with whitespace-separated elements
|
||||||
|
normalize_list()
|
||||||
|
{
|
||||||
|
printf '%s' "$1" | tr -s ' \r\n\t' ' ' | sed -E 's/^ //;s/ $//'
|
||||||
|
}
|
||||||
|
|
||||||
failsafe_dropbear () {
|
failsafe_dropbear() {
|
||||||
local kargs kcount ktype tkey
|
local ktype_all kargs kcount ktype tkey
|
||||||
|
|
||||||
|
# don't hardcode supported algorithm list until things go wrong
|
||||||
|
ktype_all=$(db_key_types)
|
||||||
|
[ -n "${ktype_all}" ] || {
|
||||||
|
echo "dropbear: unable to correctly retrieve supported hostkey algorithms!" >&2
|
||||||
|
|
||||||
|
ktype_all='rsa ecdsa ed25519'
|
||||||
|
}
|
||||||
|
|
||||||
kargs=
|
kargs=
|
||||||
kcount=0
|
kcount=0
|
||||||
for ktype in ${ktype_all} ; do
|
for ktype in ${ktype_all} ; do
|
||||||
tkey="/tmp/dropbear_failsafe_${ktype}_host_key"
|
tkey="/tmp/dropbear_failsafe_${ktype}_host_key"
|
||||||
|
|
||||||
case "${ktype}" in
|
db_key_ensure "${tkey}" -t "${ktype}" || :
|
||||||
ed25519) _ensurekey "${tkey}" -t ed25519 ;;
|
if [ -s "${tkey}" ] ; then
|
||||||
ecdsa) _ensurekey "${tkey}" -t ecdsa -s 256 ;;
|
chmod 0400 "${tkey}"
|
||||||
rsa) _ensurekey "${tkey}" -t rsa -s 1024 ;;
|
kargs="${kargs} -r ${tkey}"
|
||||||
*)
|
kcount=$((kcount+1))
|
||||||
echo "unknown key type: ${ktype}" >&2
|
else
|
||||||
continue
|
rm -f "${tkey}" "${tkey}.pub"
|
||||||
;;
|
fi
|
||||||
esac
|
|
||||||
|
|
||||||
[ -s "${tkey}" ] || {
|
|
||||||
rm -f "${tkey}"
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
chmod 0400 "${tkey}"
|
|
||||||
kargs="${kargs}${kargs:+ }-r ${tkey}"
|
|
||||||
kcount=$((kcount+1))
|
|
||||||
done
|
done
|
||||||
|
|
||||||
[ "${kcount}" != 0 ] || {
|
[ "${kcount}" != 0 ] || {
|
||||||
@ -55,7 +57,7 @@ failsafe_dropbear () {
|
|||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
_dropbear ${kargs}
|
dropbear ${kargs} </dev/null >/dev/null 2>&1
|
||||||
}
|
}
|
||||||
|
|
||||||
boot_hook_add failsafe failsafe_dropbear
|
boot_hook_add failsafe failsafe_dropbear
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user