code.grnet.gr Git - snf-image/blob - snf-image-helper/tasks/40DeleteSSHKeys.in

   1 #! /bin/bash
   2
   3 ### BEGIN TASK INFO
   4 # Provides:             DeleteSSHKeys
   5 # RunBefore:            UmountImage
   6 # RunAfter:             MountImage
   7 # Short-Description:    Remove ssh keys and in some cases recreate them
   8 ### END TASK INFO
   9
  10 set -e
  11 . "@commondir@/common.sh"
  12
  13 if [ ! -d "$SNF_IMAGE_TARGET" ]; then
  14     log_error "Target dir: \`$SNF_IMAGE_TARGET' is missing."
  15 fi
  16
  17 target="$SNF_IMAGE_TARGET"
  18
  19 if [ "$SNF_IMAGE_PROPERTY_OSFAMILY" != "linux" ]; then
  20     cleanup
  21     trap - EXIT
  22     exit 0
  23 fi
  24
  25 distro=$(get_base_distro "$SNF_IMAGE_TARGET")
  26
  27 HOST_KEY="/etc/ssh/ssh_host_key"
  28 RSA_KEY="/etc/ssh/ssh_host_rsa_key"
  29 DSA_KEY="/etc/ssh/ssh_host_dsa_key"
  30 ECDSA_KEY="/etc/ssh/ssh_host_ecdsa_key"
  31
  32
  33 #Remove the default keys
  34 for pair in "$HOST_KEY@rsa1" "$RSA_KEY@rsa" "$DSA_KEY@dsa" "$ECDSA_KEY@ecdsa"; do
  35     key=$(echo $pair | cut -d@ -f1)
  36     key_type=$(echo $pair | cut -d@ -f2)
  37     if [ -e "$target/$key" ]; then
  38         rm -f "$target/$key"{,.pub}
  39         if [ "x$distro" = "xdebian" ]; then
  40             chroot "$target" \
  41                 env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
  42                 ssh-keygen -t $key_type -q -N '' -f "$key"
  43         fi
  44     fi
  45 done
  46
  47 config="$target/etc/ssh/sshd_config"
  48 if [ ! -e "$config" ]; then
  49     echo "Warning: Config file: \`$config' is missing."
  50     echo "Warning: Can't check for non-default keys."
  51     cleanup
  52     trap - EXIT
  53     exit 0
  54 fi
  55
  56 # Remove non-default keys...
  57 grep ^HostKey "$config" | while read key_line; do
  58     key=$(echo $key_line | cut -d" " -f2)
  59     if [ "$key" = $HOST_KEY -o "$key" = $RSA_KEY -o \
  60             "$key" = $DSA_KEY -o "$key" = $ECDSA_KEY ]; then
  61         continue;
  62     fi
  63
  64     if [ "x$distro" = "xdebian" ]; then
  65         # Most distros recreate missing keys...debian complains
  66         type=""
  67         if [ -e "$target/$key" ]; then
  68             if grep -e "-----BEGIN DSA PRIVATE KEY-----" "$target/$key"; then
  69                 type=dsa
  70             elif grep -e "-----BEGIN EC PRIVATE KEY-----" "$target/$key"; then
  71                 type=ecdsa
  72             elif grep -e "-----BEGIN RSA PRIVATE KEY-----" "$target/$key"; then
  73                 type=rsa
  74             elif grep -e "SSH PRIVATE KEY FILE FORMAT" "$target/$key"; then
  75                 type=rsa1
  76             fi
  77         else # do some guessing...
  78             for i in rsa dsa ecdsa; do
  79                 echo "$key" | grep _${i}_ && { type="$i"; break; }
  80             done
  81         fi
  82         if [ -z "$type" ]; then
  83             echo "Warning: Unknown key type. I'll use \`rsa1'";
  84             type=rsa1
  85         fi
  86
  87         rm -f "$target/$key"{,.pub}
  88         chroot "$target" \
  89             env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
  90             ssh-keygen -t $type -q -N '' -f "$key"
  91     else
  92         rm -f "$target/$key"{,.pub}
  93     fi
  94 done
  95
  96 cleanup
  97 trap - EXIT
  98
  99 exit 0
 100
 101 # vim: set sta sts=4 shiftwidth=4 sw=4 et ai :