#! /bin/bash
+# Copyright (C) 2011 GRNET S.A.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301, USA.
+
### BEGIN TASK INFO
# Provides: DeleteSSHKeys
-# Requires: MountImage
-# Short-Description: Remove ssh keys if present.
-### END TAST INFO
+# RunBefore: EnforcePersonality
+# RunAfter: MountImage
+# Short-Description: Remove ssh keys and in some cases recreate them
+### END TASK INFO
set -e
-. @commondir@/common.sh
+. "@commondir@/common.sh"
+
+trap task_cleanup EXIT
+report_task_start
+
+# Check if the task should be prevented from running.
+check_if_excluded
if [ ! -d "$SNF_IMAGE_TARGET" ]; then
log_error "Target dir: \`$SNF_IMAGE_TARGET' is missing."
fi
-if [ "$SNF_IMAGE_TYPE" = "extdump" ]; then
- HOST_KEY="/etc/ssh/ssh_host_key"
- RSA_KEY="/etc/ssh/ssh_host_rsa_key"
- DSA_KEY="/etc/ssh/ssh_host_dsa_key"
+if [ "$SNF_IMAGE_PROPERTY_OSFAMILY" != "linux" ]; then
+ exit 0
+fi
+
+distro=$(get_base_distro "$SNF_IMAGE_TARGET")
+
+HOST_KEY="/etc/ssh/ssh_host_key"
+RSA_KEY="/etc/ssh/ssh_host_rsa_key"
+DSA_KEY="/etc/ssh/ssh_host_dsa_key"
+ECDSA_KEY="/etc/ssh/ssh_host_ecdsa_key"
+
+target="$SNF_IMAGE_TARGET"
- for key in $HOST_KEY $RSA_KEY $DSA_KEY ; do
- if [ -f "${SNF_IMAGE_TARGET}/${key}" ] ; then
- rm -f ${SNF_IMAGE_TARGET}/${key}*
+mount -o bind /proc "$target/proc"
+add_cleanup umount "$target/proc"
+mount -o bind /dev "$target/dev"
+add_cleanup umount "$target/dev"
+
+#Remove the default keys
+for pair in "$HOST_KEY@rsa1" "$RSA_KEY@rsa" "$DSA_KEY@dsa" "$ECDSA_KEY@ecdsa"; do
+ key=$(echo $pair | cut -d@ -f1)
+ key_type=$(echo $pair | cut -d@ -f2)
+ if [ -e "$target/$key" ]; then
+ rm -f "$target/$key"{,.pub}
+ if [ "x$distro" = "xdebian" ]; then
+ chroot "$target" \
+ env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
+ ssh-keygen -t $key_type -q -N '' -f "$key"
fi
- done
+ fi
+done
+
+config="$target/etc/ssh/sshd_config"
+if [ ! -e "$config" ]; then
+ warn "Config file: \`$config' is missing."
+ warn "Can't check for non-default keys."
+ exit 0
fi
-cleanup
-trap - EXIT
+# Remove non-default keys...
+grep ^HostKey "$config" || true | while read key_line; do
+ key=$(echo $key_line | cut -d" " -f2)
+ if [ "$key" = $HOST_KEY -o "$key" = $RSA_KEY -o \
+ "$key" = $DSA_KEY -o "$key" = $ECDSA_KEY ]; then
+ continue;
+ fi
+
+ if [ "x$distro" = "xdebian" ]; then
+ # Most distros recreate missing keys...debian complains
+ type=""
+ if [ -e "$target/$key" ]; then
+ if grep -e "-----BEGIN DSA PRIVATE KEY-----" "$target/$key"; then
+ type=dsa
+ elif grep -e "-----BEGIN EC PRIVATE KEY-----" "$target/$key"; then
+ type=ecdsa
+ elif grep -e "-----BEGIN RSA PRIVATE KEY-----" "$target/$key"; then
+ type=rsa
+ elif grep -e "SSH PRIVATE KEY FILE FORMAT" "$target/$key"; then
+ type=rsa1
+ fi
+ else # do some guessing...
+ for i in rsa dsa ecdsa; do
+ if echo "$key" | grep _${i}_ > /dev/null; then
+ type="$i";
+ break;
+ fi
+ done
+ fi
+ if [ -z "$type" ]; then
+ echo "Warning: Unknown key type. I'll use \`rsa1'";
+ type=rsa1
+ fi
+
+ rm -f "$target/$key"{,.pub}
+ chroot "$target" \
+ env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
+ ssh-keygen -t $type -q -N '' -f "$key"
+ else
+ rm -f "$target/$key"{,.pub}
+ fi
+done
exit 0