root / snf-image-helper / tasks / 40DeleteSSHKeys.in @ 922c1513
History | View | Annotate | Download (3.9 kB)
| 1 |
#! /bin/bash |
|---|---|
| 2 |
|
| 3 |
# Copyright (C) 2011 GRNET S.A. |
| 4 |
# |
| 5 |
# This program is free software; you can redistribute it and/or modify |
| 6 |
# it under the terms of the GNU General Public License as published by |
| 7 |
# the Free Software Foundation; either version 2 of the License, or |
| 8 |
# (at your option) any later version. |
| 9 |
# |
| 10 |
# This program is distributed in the hope that it will be useful, but |
| 11 |
# WITHOUT ANY WARRANTY; without even the implied warranty of |
| 12 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| 13 |
# General Public License for more details. |
| 14 |
# |
| 15 |
# You should have received a copy of the GNU General Public License |
| 16 |
# along with this program; if not, write to the Free Software |
| 17 |
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
| 18 |
# 02110-1301, USA. |
| 19 |
|
| 20 |
### BEGIN TASK INFO |
| 21 |
# Provides: DeleteSSHKeys |
| 22 |
# RunBefore: EnforcePersonality |
| 23 |
# RunAfter: MountImage |
| 24 |
# Short-Description: Remove ssh keys and in some cases recreate them |
| 25 |
### END TASK INFO |
| 26 |
|
| 27 |
set -e |
| 28 |
. "@commondir@/common.sh" |
| 29 |
|
| 30 |
trap task_cleanup EXIT |
| 31 |
report_task_start |
| 32 |
|
| 33 |
# Check if the task should be prevented from running. |
| 34 |
check_if_excluded |
| 35 |
|
| 36 |
if [ ! -d "$SNF_IMAGE_TARGET" ]; then |
| 37 |
log_error "Target dir: \`$SNF_IMAGE_TARGET' is missing." |
| 38 |
fi |
| 39 |
|
| 40 |
if [ "$SNF_IMAGE_PROPERTY_OSFAMILY" = "windows" ]; then |
| 41 |
exit 0 |
| 42 |
fi |
| 43 |
|
| 44 |
if [ "$SNF_IMAGE_PROPERTY_OSFAMILY" = "linux" ]; then |
| 45 |
distro=$(get_base_distro "$SNF_IMAGE_TARGET") |
| 46 |
fi |
| 47 |
|
| 48 |
HOST_KEY="/etc/ssh/ssh_host_key" |
| 49 |
RSA_KEY="/etc/ssh/ssh_host_rsa_key" |
| 50 |
DSA_KEY="/etc/ssh/ssh_host_dsa_key" |
| 51 |
ECDSA_KEY="/etc/ssh/ssh_host_ecdsa_key" |
| 52 |
|
| 53 |
target="$SNF_IMAGE_TARGET" |
| 54 |
|
| 55 |
if [ "x$distro" = "xdebian" ]; then |
| 56 |
mount -o bind /proc "$target/proc" |
| 57 |
add_cleanup umount "$target/proc" |
| 58 |
mount -o bind /dev "$target/dev" |
| 59 |
add_cleanup umount "$target/dev" |
| 60 |
fi |
| 61 |
|
| 62 |
#Remove the default keys |
| 63 |
for pair in "$HOST_KEY@rsa1" "$RSA_KEY@rsa" "$DSA_KEY@dsa" "$ECDSA_KEY@ecdsa"; do |
| 64 |
key=$(echo $pair | cut -d@ -f1) |
| 65 |
key_type=$(echo $pair | cut -d@ -f2) |
| 66 |
if [ -e "$target/$key" ]; then |
| 67 |
rm -f "$target/$key"{,.pub}
|
| 68 |
if [ "x$distro" = "xdebian" ]; then |
| 69 |
chroot "$target" \ |
| 70 |
env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \ |
| 71 |
ssh-keygen -t $key_type -q -N '' -f "$key" |
| 72 |
fi |
| 73 |
fi |
| 74 |
done |
| 75 |
|
| 76 |
config="$target/etc/ssh/sshd_config" |
| 77 |
if [ ! -e "$config" ]; then |
| 78 |
warn "Config file: \`$config' is missing." |
| 79 |
warn "Can't check for non-default keys." |
| 80 |
exit 0 |
| 81 |
fi |
| 82 |
|
| 83 |
# Remove non-default keys... |
| 84 |
{ grep ^HostKey "$config" || true; } | while read key_line; do
|
| 85 |
key=$(echo $key_line | cut -d" " -f2) |
| 86 |
if [ "$key" = $HOST_KEY -o "$key" = $RSA_KEY -o \ |
| 87 |
"$key" = $DSA_KEY -o "$key" = $ECDSA_KEY ]; then |
| 88 |
continue |
| 89 |
fi |
| 90 |
|
| 91 |
if [ "x$distro" = "xdebian" ]; then |
| 92 |
# Most distros recreate missing keys...debian complains |
| 93 |
type="" |
| 94 |
if [ -e "$target/$key" ]; then |
| 95 |
if grep -e "-----BEGIN DSA PRIVATE KEY-----" "$target/$key" > /dev/null; then |
| 96 |
type=dsa |
| 97 |
elif grep -e "-----BEGIN EC PRIVATE KEY-----" "$target/$key" > /dev/null; then |
| 98 |
type=ecdsa |
| 99 |
elif grep -e "-----BEGIN RSA PRIVATE KEY-----" "$target/$key" > /dev/null; then |
| 100 |
type=rsa |
| 101 |
elif grep -e "SSH PRIVATE KEY FILE FORMAT" "$target/$key" > /dev/null; then |
| 102 |
type=rsa1 |
| 103 |
fi |
| 104 |
else # do some guessing... |
| 105 |
for i in rsa dsa ecdsa; do |
| 106 |
if echo "$key" | grep _${i}_ > /dev/null; then
|
| 107 |
type="$i"; |
| 108 |
break; |
| 109 |
fi |
| 110 |
done |
| 111 |
fi |
| 112 |
if [ -z "$type" ]; then |
| 113 |
echo "Warning: Unknown key type. I'll use \`rsa1'"; |
| 114 |
type=rsa1 |
| 115 |
fi |
| 116 |
|
| 117 |
rm -f "$target/$key"{,.pub}
|
| 118 |
chroot "$target" \ |
| 119 |
env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \ |
| 120 |
ssh-keygen -t $type -q -N '' -f "$key" |
| 121 |
else |
| 122 |
rm -f "$target/$key"{,.pub}
|
| 123 |
fi |
| 124 |
done |
| 125 |
|
| 126 |
exit 0 |
| 127 |
|
| 128 |
# vim: set sta sts=4 shiftwidth=4 sw=4 et ai : |