catspeed-cc/openwrt
1
1
Fork 0
Code

dropbear: rework failsafe script

Browse Source 
- generate or use RSA only if none of the modern algorithms (Ed25519, ECDSA) are supported;
- remove size constraints for key size.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/23217
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit is contained in:
Konstantin Demin 2026-05-19 16:38:13 +03:00 committed by Hauke Mehrtens
parent 04ea7ca42f
commit 30394cc5b9
1 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
package/network/services/dropbear/files/dropbear.failsafe
View File

@ -40,6 +40,26 @@ failsafe_dropbear() {
kargs= kargs=
kcount=0 kcount=0
for ktype in ${ktype_all} ; do for ktype in ${ktype_all} ; do
case "${ktype}" in
rsa ) ;; # skip (see below)
* )
tkey="/tmp/dropbear_failsafe_${ktype}_host_key"
db_key_ensure "${tkey}" -t "${ktype}" || :
if [ -s "${tkey}" ] ; then
chmod 0400 "${tkey}"
kargs="${kargs} -r ${tkey}"
kcount=$((kcount+1))
else
rm -f "${tkey}" "${tkey}.pub"
fi
;;
esac
done
# use RSA only if none of the modern algorithms is supported
if [ "${kcount}" = 0 ] ; then
ktype=rsa
tkey="/tmp/dropbear_failsafe_${ktype}_host_key" tkey="/tmp/dropbear_failsafe_${ktype}_host_key"
db_key_ensure "${tkey}" -t "${ktype}" || : db_key_ensure "${tkey}" -t "${ktype}" || :
@ -50,7 +70,7 @@ failsafe_dropbear() {
else else
rm -f "${tkey}" "${tkey}.pub" rm -f "${tkey}" "${tkey}.pub"
fi fi
done fi
[ "${kcount}" != 0 ] || { [ "${kcount}" != 0 ] || {
echo 'DROPBEAR IS BROKEN' >&2 echo 'DROPBEAR IS BROKEN' >&2