code.grnet.gr Git - snf-image/blob - snf-image-helper/tasks/40DeleteSSHKeys.in

   1 #! /bin/bash
   2
   3 # Copyright (C) 2011 GRNET S.A.
   4 #
   5 # This program is free software; you can redistribute it and/or modify
   6 # it under the terms of the GNU General Public License as published by
   7 # the Free Software Foundation; either version 2 of the License, or
   8 # (at your option) any later version.
   9 #
  10 # This program is distributed in the hope that it will be useful, but
  11 # WITHOUT ANY WARRANTY; without even the implied warranty of
  12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  13 # General Public License for more details.
  14 #
  15 # You should have received a copy of the GNU General Public License
  16 # along with this program; if not, write to the Free Software
  17 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  18 # 02110-1301, USA.
  19
  20 ### BEGIN TASK INFO
  21 # Provides:             DeleteSSHKeys
  22 # RunBefore:            EnforcePersonality
  23 # RunAfter:             MountImage
  24 # Short-Description:    Remove ssh keys and in some cases recreate them
  25 ### END TASK INFO
  26
  27 set -e
  28 . "@commondir@/common.sh"
  29
  30 trap task_cleanup EXIT
  31 report_task_start
  32
  33 # Check if the task should be prevented from running.
  34 check_if_excluded
  35
  36 if [ ! -d "$SNF_IMAGE_TARGET" ]; then
  37     log_error "Target dir: \`$SNF_IMAGE_TARGET' is missing."
  38 fi
  39
  40 if [ "$SNF_IMAGE_PROPERTY_OSFAMILY" = "windows" ]; then
  41     exit 0
  42 fi
  43
  44 if [ "$SNF_IMAGE_PROPERTY_OSFAMILY" = "linux" ]; then
  45     distro=$(get_base_distro "$SNF_IMAGE_TARGET")
  46 fi
  47
  48 HOST_KEY="/etc/ssh/ssh_host_key"
  49 RSA_KEY="/etc/ssh/ssh_host_rsa_key"
  50 DSA_KEY="/etc/ssh/ssh_host_dsa_key"
  51 ECDSA_KEY="/etc/ssh/ssh_host_ecdsa_key"
  52
  53 target="$SNF_IMAGE_TARGET"
  54
  55 if [ "x$distro" = "xdebian" ]; then
  56     mount -o bind /proc "$target/proc"
  57     add_cleanup umount "$target/proc"
  58     mount -o bind /dev "$target/dev"
  59     add_cleanup umount "$target/dev"
  60 fi
  61
  62 #Remove the default keys
  63 for pair in "$HOST_KEY@rsa1" "$RSA_KEY@rsa" "$DSA_KEY@dsa" "$ECDSA_KEY@ecdsa"; do
  64     key=$(echo $pair | cut -d@ -f1)
  65     key_type=$(echo $pair | cut -d@ -f2)
  66     if [ -e "$target/$key" ]; then
  67         rm -f "$target/$key"{,.pub}
  68         if [ "x$distro" = "xdebian" ]; then
  69             chroot "$target" \
  70                 env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
  71                 ssh-keygen -t $key_type -q -N '' -f "$key"
  72         fi
  73     fi
  74 done
  75
  76 config="$target/etc/ssh/sshd_config"
  77 if [ ! -e "$config" ]; then
  78     warn "Config file: \`$config' is missing."
  79     warn "Can't check for non-default keys."
  80     exit 0
  81 fi
  82
  83 # Remove non-default keys...
  84 { grep ^HostKey "$config" || true; } | while read key_line; do
  85     key=$(echo $key_line | cut -d" " -f2)
  86     if [ "$key" = $HOST_KEY -o "$key" = $RSA_KEY -o \
  87             "$key" = $DSA_KEY -o "$key" = $ECDSA_KEY ]; then
  88         continue
  89     fi
  90
  91     if [ "x$distro" = "xdebian" ]; then
  92         # Most distros recreate missing keys...debian complains
  93         type=""
  94         if [ -e "$target/$key" ]; then
  95             if grep -e "-----BEGIN DSA PRIVATE KEY-----" "$target/$key" > /dev/null; then
  96                 type=dsa
  97             elif grep -e "-----BEGIN EC PRIVATE KEY-----" "$target/$key" > /dev/null; then
  98                 type=ecdsa
  99             elif grep -e "-----BEGIN RSA PRIVATE KEY-----" "$target/$key" > /dev/null; then
 100                 type=rsa
 101             elif grep -e "SSH PRIVATE KEY FILE FORMAT" "$target/$key" > /dev/null; then
 102                 type=rsa1
 103             fi
 104         else # do some guessing...
 105             for i in rsa dsa ecdsa; do
 106                 if echo "$key" | grep _${i}_ > /dev/null; then
 107                     type="$i";
 108                     break;
 109                 fi
 110             done
 111         fi
 112         if [ -z "$type" ]; then
 113             echo "Warning: Unknown key type. I'll use \`rsa1'";
 114             type=rsa1
 115         fi
 116
 117         rm -f "$target/$key"{,.pub}
 118         chroot "$target" \
 119             env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
 120             ssh-keygen -t $type -q -N '' -f "$key"
 121     else
 122         rm -f "$target/$key"{,.pub}
 123     fi
 124 done
 125
 126 exit 0
 127
 128 # vim: set sta sts=4 shiftwidth=4 sw=4 et ai :