dropbear: rework failsafe script

- generate or use RSA only if none of the modern algorithms (Ed25519, ECDSA) are supported; - remove size constraints for key size. Signed-off-by: Konstantin Demin <rockdrilla@gmail.com> Link: https://github.com/openwrt/openwrt/pull/23217 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2026-05-19 16:38:13 +03:00 · 2026-05-19 16:38:13 +03:00 · 30394cc5b9
commit 30394cc5b9
parent 04ea7ca42f
1 changed files with 21 additions and 1 deletions
--- a/package/network/services/dropbear/files/dropbear.failsafe
+++ b/package/network/services/dropbear/files/dropbear.failsafe
@ -40,6 +40,9 @@ failsafe_dropbear() {
 	kargs=
 	kcount=0
 	for ktype in ${ktype_all} ; do
+		case "${ktype}" in
+		rsa ) ;; # skip (see below)
+		* )
 			tkey="/tmp/dropbear_failsafe_${ktype}_host_key"

 			db_key_ensure "${tkey}" -t "${ktype}" || :
@ -50,8 +53,25 @@ failsafe_dropbear() {
 			else
 				rm -f "${tkey}" "${tkey}.pub"
 			fi
+		;;
+		esac
 	done

+	# use RSA only if none of the modern algorithms is supported
+	if [ "${kcount}" = 0 ] ; then
+		ktype=rsa
+		tkey="/tmp/dropbear_failsafe_${ktype}_host_key"
+
+		db_key_ensure "${tkey}" -t "${ktype}" || :
+		if [ -s "${tkey}" ] ; then
+			chmod 0400 "${tkey}"
+			kargs="${kargs} -r ${tkey}"
+			kcount=$((kcount+1))
+		else
+			rm -f "${tkey}" "${tkey}.pub"
+		fi
+	fi
+
 	[ "${kcount}" != 0 ] || {
 		echo 'DROPBEAR IS BROKEN' >&2
 		return 1