From 6bd7341a38a8bb5387ea81dbccfed327370569f3 Mon Sep 17 00:00:00 2001 From: Andre McCurdy Date: Mon, 6 Mar 2017 17:42:25 -0800 Subject: dropbear: drop support for DSA host keys in dropbear init script Bring the dropbear init script into sync with the systemd service file (dropbearkey.service supports RSA host keys only) and with recent versions of openssh which deprecate DSA host keys. https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html Signed-off-by: Andre McCurdy Signed-off-by: Ross Burton --- meta/recipes-core/dropbear/dropbear/init | 36 ++++++-------------------------- 1 file changed, 6 insertions(+), 30 deletions(-) (limited to 'meta/recipes-core/dropbear') diff --git a/meta/recipes-core/dropbear/dropbear/init b/meta/recipes-core/dropbear/dropbear/init index 434bd6b971..f6e1c462fa 100755 --- a/meta/recipes-core/dropbear/dropbear/init +++ b/meta/recipes-core/dropbear/dropbear/init @@ -40,49 +40,28 @@ done if [ $readonly_rootfs = "1" ]; then mkdir -p /var/lib/dropbear DROPBEAR_RSAKEY_DEFAULT="/var/lib/dropbear/dropbear_rsa_host_key" - DROPBEAR_DSSKEY_DEFAULT="/var/lib/dropbear/dropbear_dss_host_key" else DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key" - DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key" fi test -z "$DROPBEAR_BANNER" || \ DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER" test -n "$DROPBEAR_RSAKEY" || \ DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT -test -n "$DROPBEAR_DSSKEY" || \ - DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT -test -n "$DROPBEAR_KEYTYPES" || \ - DROPBEAR_KEYTYPES="rsa" gen_keys() { -for t in $DROPBEAR_KEYTYPES; do - case $t in - rsa) - if [ -f "$DROPBEAR_RSAKEY" -a ! -s "$DROPBEAR_RSAKEY" ]; then - rm $DROPBEAR_RSAKEY || true - fi - test -f $DROPBEAR_RSAKEY || dropbearkey -t rsa -f $DROPBEAR_RSAKEY $DROPBEAR_RSAKEY_ARGS - ;; - dsa) - if [ -f "$DROPBEAR_DSSKEY" -a ! -s "$DROPBEAR_DSSKEY" ]; then - rm $DROPBEAR_DSSKEY || true - fi - test -f $DROPBEAR_DSSKEY || dropbearkey -t dss -f $DROPBEAR_DSSKEY $DROPBEAR_DSSKEY_ARGS - ;; - esac -done + if [ -f "$DROPBEAR_RSAKEY" -a ! -s "$DROPBEAR_RSAKEY" ]; then + rm $DROPBEAR_RSAKEY || true + fi + test -f $DROPBEAR_RSAKEY || dropbearkey -t rsa -f $DROPBEAR_RSAKEY $DROPBEAR_RSAKEY_ARGS } case "$1" in start) echo -n "Starting $DESC: " gen_keys - KEY_ARGS="" - test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY" - test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY" start-stop-daemon -S -p $PIDFILE \ - -x "$DAEMON" -- $KEY_ARGS \ + -x "$DAEMON" -- -r $DROPBEAR_RSAKEY \ -p "$DROPBEAR_PORT" $DROPBEAR_EXTRA_ARGS echo "$NAME." ;; @@ -95,11 +74,8 @@ case "$1" in echo -n "Restarting $DESC: " start-stop-daemon -K -x "$DAEMON" -p $PIDFILE sleep 1 - KEY_ARGS="" - test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY" - test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY" start-stop-daemon -S -p $PIDFILE \ - -x "$DAEMON" -- $KEY_ARGS \ + -x "$DAEMON" -- -r $DROPBEAR_RSAKEY \ -p "$DROPBEAR_PORT" $DROPBEAR_EXTRA_ARGS echo "$NAME." ;; -- cgit 1.2.3-korg