Synnefo » snf-image

#! /bin/bash

# Copyright (C) 2011 GRNET S.A. 

#

# This program is free software; you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation; either version 2 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful, but

# WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

# General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

# 02110-1301, USA.

### BEGIN TASK INFO

# Provides:		DeleteSSHKeys

# RunBefore:            UmountImage

# RunAfter:             MountImage

# Short-Description:	Remove ssh keys and in some cases recreate them

### END TASK INFO

set -e

. "@commondir@/common.sh"

trap task_cleanup EXIT

report_task_start

# Check if the task should be prevented from running.

check_if_excluded

if [ ! -d "$SNF_IMAGE_TARGET" ]; then

    log_error "Target dir: \`$SNF_IMAGE_TARGET' is missing."

fi

if [ "$SNF_IMAGE_PROPERTY_OSFAMILY" != "linux" ]; then

    exit 0

fi

distro=$(get_base_distro "$SNF_IMAGE_TARGET")

HOST_KEY="/etc/ssh/ssh_host_key"

RSA_KEY="/etc/ssh/ssh_host_rsa_key"

DSA_KEY="/etc/ssh/ssh_host_dsa_key"

ECDSA_KEY="/etc/ssh/ssh_host_ecdsa_key"

target="$SNF_IMAGE_TARGET"

#Remove the default keys

for pair in "$HOST_KEY@rsa1" "$RSA_KEY@rsa" "$DSA_KEY@dsa" "$ECDSA_KEY@ecdsa"; do

    key=$(echo $pair | cut -d@ -f1)

    key_type=$(echo $pair | cut -d@ -f2)

    if [ -e "$target/$key" ]; then

        rm -f "$target/$key"{,.pub}

        if [ "x$distro" = "xdebian" ]; then

            chroot "$target" \

                env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \

                ssh-keygen -t $key_type -q -N '' -f "$key"

        fi

    fi

done

config="$target/etc/ssh/sshd_config"

if [ ! -e "$config" ]; then

    warn "Config file: \`$config' is missing."

    warn "Can't check for non-default keys."

    exit 0

fi

# Remove non-default keys...

grep ^HostKey "$config" || true | while read key_line; do

    key=$(echo $key_line | cut -d" " -f2)

    if [ "$key" = $HOST_KEY -o "$key" = $RSA_KEY -o \

            "$key" = $DSA_KEY -o "$key" = $ECDSA_KEY ]; then

        continue;

    fi

    if [ "x$distro" = "xdebian" ]; then

        # Most distros recreate missing keys...debian complains

        type=""

        if [ -e "$target/$key" ]; then

            if grep -e "-----BEGIN DSA PRIVATE KEY-----" "$target/$key"; then

                type=dsa

            elif grep -e "-----BEGIN EC PRIVATE KEY-----" "$target/$key"; then

                type=ecdsa

            elif grep -e "-----BEGIN RSA PRIVATE KEY-----" "$target/$key"; then

                type=rsa

            elif grep -e "SSH PRIVATE KEY FILE FORMAT" "$target/$key"; then

                type=rsa1

            fi

        else # do some guessing...

            for i in rsa dsa ecdsa; do

                if echo "$key" | grep _${i}_ > /dev/null; then

                    type="$i";

                    break;

                fi

            done

        fi

        if [ -z "$type" ]; then

            echo "Warning: Unknown key type. I'll use \`rsa1'";

            type=rsa1

        fi

        rm -f "$target/$key"{,.pub}

        chroot "$target" \

            env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \

            ssh-keygen -t $type -q -N '' -f "$key"

    else

        rm -f "$target/$key"{,.pub}

    fi

done

exit 0

# vim: set sta sts=4 shiftwidth=4 sw=4 et ai :