On Wed, Dec 2, 2015 at 7:24 PM, Josh Datko <[email protected]> wrote:
> I just saw this:
> http://www.theregister.co.uk/2015/12/02/raspberry_pi_weak_ssh_keys/
>
> I think that /dev/hwrng support has been in the image for a while now,
> but I'm bit out-of-touch of where the latest code is.
>
> Can somebody either verify the BeagleBone's code is correct (for ssh
> host key creation) or point me to the repo and I'll take a look?
So going back to our old 3.8 kernel:
CONFIG_HW_RANDOM_OMAP=m
With the way we create images, the first ssh key is removed: (initial
debootstrap ssh key)
if [ -d "${tempdir}/etc/ssh/" -a "x${keep_ssh_keys}" = "x" ] ; then
#Remove pre-generated ssh keys, these will be regenerated on first bootup...
sudo rm -rf "${tempdir}"/etc/ssh/ssh_host_* || true
sudo touch "${tempdir}/etc/ssh/ssh.regenerate" || true
fi
https://github.com/RobertCNelson/omap-image-builder/blob/master/scripts/chroot.sh#L1146-L1151
Then the init script will generate a new key on bootup:
#Regenerate ssh host keys
if [ -f /etc/ssh/ssh.regenerate ] ; then
rm -rf /etc/ssh/ssh_host_* || true
dpkg-reconfigure openssh-server
sync
if [ -s /etc/ssh/ssh_host_ecdsa_key.pub ] ; then
rm -f /etc/ssh/ssh.regenerate || true
sync
fi
if [ -f /etc/init.d/ssh ] ; then
/etc/init.d/ssh restart
fi
fi
https://github.com/RobertCNelson/omap-image-builder/blob/master/target/init_scripts/generic-debian.sh#L41-L53
and the flasher makes sure the eMMC will have different keys, then
your boot microSD:
if [ -d /tmp/rootfs/etc/ssh/ ] ; then
#ssh keys will now get regenerated on the next bootup
touch /tmp/rootfs/etc/ssh/ssh.regenerate
flush_cache
fi
https://github.com/RobertCNelson/boot-scripts/blob/master/tools/eMMC/init-eMMC-flasher-v3.sh#L367-L371
Now... if we had a battery backed rtc, it would be better.. But i
think we are in pretty good shape..
So ignoring the root login over 22 with no password... or
nodejs/bonescript/etc.. At least the key is safe. ;)
Regards,
--
Robert Nelson
https://rcn-ee.com/
--
For more options, visit http://beagleboard.org/discuss
---
You received this message because you are subscribed to the Google Groups
"BeagleBoard" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
