CVS commit: src/etc/rc.d

Sun, 26 Sep 2021 03:53:29 -0700 

Module Name:    src
Committed By:   martin
Date:           Sun Sep 26 10:53:20 UTC 2021

Modified Files:
        src/etc/rc.d: sshd

Log Message:
If key generation happens with not enough entropy in the system, add
a warning to motd pointing at entropy(7) and give instructions how to
re-generate the (weak) keys after fixing up entropy.

Add a "keyregen" command, which forces regeneration of all host keys
to simplify the replacement of weak keys.


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 src/etc/rc.d/sshd

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/etc/rc.d/sshd
diff -u src/etc/rc.d/sshd:1.30 src/etc/rc.d/sshd:1.31
--- src/etc/rc.d/sshd:1.30	Wed Oct 23 14:45:38 2019
+++ src/etc/rc.d/sshd	Sun Sep 26 10:53:20 2021
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $NetBSD: sshd,v 1.30 2019/10/23 14:45:38 christos Exp $
+# $NetBSD: sshd,v 1.31 2021/09/26 10:53:20 martin Exp $
 #
 
 # PROVIDE: sshd
@@ -13,7 +13,32 @@ rcvar=$name
 command="/usr/sbin/${name}"
 pidfile="/var/run/${name}.pid"
 required_files="/etc/ssh/sshd_config"
-extra_commands="keygen reload"
+extra_commands="keygen keyregen reload"
+
+sshd_motd_unsafe_keys_warning()
+{
+(
+	umask 022
+	T=/etc/_motd
+	sed -E '/^-- UNSAFE KEYS WARNING:/,$d' < /etc/motd > $T
+	if [ $( sysctl -n kern.entropy.needed ) -ne 0 ]; then
+		cat >> $T << _EOF
+-- UNSAFE KEYS WARNING:
+
+	The ssh host keys on this machine have been generated with
+	not enough entropy configured, so may be predictable.
+
+	To fix, follow the "Adding entropy" section in the entropy(7)
+	man page and after this machine has enough entropy, re-generate
+	the ssh host keys by running:
+
+		sh /etc/rc.d/sshd keyregen
+_EOF
+	fi
+	cmp -s $T /etc/motd || cp $T /etc/motd
+	rm -f $T
+)
+}
 
 sshd_keygen()
 {
@@ -22,9 +47,10 @@ sshd_keygen()
 	umask 022
 	while read type bits filename;  do
 		f="/etc/ssh/$filename"
-		if [ -f "$f" ]; then
+		if [ "$1" != "force" ] && [ -f "$f" ]; then
 			continue
 		fi
+		rm -f "$f"
 		case "${bits}" in
 		-1)	bitarg=;;
 		0)	bitarg="${ssh_keygen_flags}";;
@@ -39,6 +65,7 @@ ed25519	-1	ssh_host_ed25519_key
 rsa	0	ssh_host_rsa_key
 _EOF
 )
+	sshd_motd_unsafe_keys_warning
 }
 
 sshd_precmd()
@@ -47,6 +74,7 @@ sshd_precmd()
 }
 
 keygen_cmd=sshd_keygen
+keyregen_cmd="sshd_keygen force"
 start_precmd=sshd_precmd
 
 load_rc_config $name

Reply via email to