forked from rpms/openssh
Make sshd-keygen comply with packaging guidelines (#1325535)
This commit is contained in:
parent
3d2c14680b
commit
00c7b75439
10
openssh.spec
10
openssh.spec
@ -87,7 +87,7 @@ Source7: sshd.sysconfig
|
|||||||
Source9: sshd@.service
|
Source9: sshd@.service
|
||||||
Source10: sshd.socket
|
Source10: sshd.socket
|
||||||
Source11: sshd.service
|
Source11: sshd.service
|
||||||
Source12: sshd-keygen.service
|
Source12: sshd-keygen@.service
|
||||||
Source13: sshd-keygen
|
Source13: sshd-keygen
|
||||||
Source14: sshd.tmpfiles
|
Source14: sshd.tmpfiles
|
||||||
|
|
||||||
@ -645,12 +645,12 @@ install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck
|
|||||||
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
|
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
|
||||||
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
|
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
|
||||||
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
|
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
|
||||||
install -m755 %{SOURCE13} $RPM_BUILD_ROOT/%{_sbindir}/sshd-keygen
|
|
||||||
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
|
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
|
||||||
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
|
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
|
||||||
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
|
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
|
||||||
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
|
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
|
||||||
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.service
|
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
|
||||||
|
install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
|
||||||
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
|
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
|
||||||
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
||||||
install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
|
install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
|
||||||
@ -757,9 +757,9 @@ getent passwd sshd >/dev/null || \
|
|||||||
%files server
|
%files server
|
||||||
%dir %attr(0711,root,root) %{_var}/empty/sshd
|
%dir %attr(0711,root,root) %{_var}/empty/sshd
|
||||||
%attr(0755,root,root) %{_sbindir}/sshd
|
%attr(0755,root,root) %{_sbindir}/sshd
|
||||||
%attr(0755,root,root) %{_sbindir}/sshd-keygen
|
|
||||||
%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
|
%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
|
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
|
||||||
|
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
|
||||||
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
|
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
|
||||||
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
|
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
|
||||||
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
|
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
|
||||||
@ -770,7 +770,7 @@ getent passwd sshd >/dev/null || \
|
|||||||
%attr(0644,root,root) %{_unitdir}/sshd.service
|
%attr(0644,root,root) %{_unitdir}/sshd.service
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd@.service
|
%attr(0644,root,root) %{_unitdir}/sshd@.service
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service
|
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
|
||||||
%attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
|
%attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
198
sshd-keygen
198
sshd-keygen
@ -1,168 +1,40 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# Create the host keys for the OpenSSH server.
|
# Create the host keys for the OpenSSH server.
|
||||||
#
|
KEYTYPE=$1
|
||||||
# The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment
|
case $KEYTYPE in
|
||||||
# variable.
|
"dsa") ;& # disabled in FIPS
|
||||||
AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
|
"ed25519")
|
||||||
|
FIPS=/proc/sys/crypto/fips_enabled
|
||||||
if [ -f /etc/rc.d/init.d/functions ]; then
|
if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then
|
||||||
# source function library
|
exit 0
|
||||||
. /etc/rc.d/init.d/functions
|
fi ;;
|
||||||
else
|
"rsa") ;; # always ok
|
||||||
# minimal implimantation of success and failure function
|
"ecdsa") ;;
|
||||||
success()
|
*) # wrong argument
|
||||||
{
|
exit 12 ;;
|
||||||
echo -en $"[ OK ]\r"
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
failure()
|
|
||||||
{
|
|
||||||
echo -en $"[FAILED]\r"
|
|
||||||
return 1
|
|
||||||
}
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Some functions to make the below more readable
|
|
||||||
KEYGEN=/usr/bin/ssh-keygen
|
|
||||||
RSA1_KEY=/etc/ssh/ssh_host_key
|
|
||||||
RSA_KEY=/etc/ssh/ssh_host_rsa_key
|
|
||||||
DSA_KEY=/etc/ssh/ssh_host_dsa_key
|
|
||||||
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
|
|
||||||
ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
|
|
||||||
|
|
||||||
# pull in sysconfig settings
|
|
||||||
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
|
||||||
|
|
||||||
fips_enabled() {
|
|
||||||
if [ -r /proc/sys/crypto/fips_enabled ]; then
|
|
||||||
cat /proc/sys/crypto/fips_enabled
|
|
||||||
else
|
|
||||||
echo 0
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
do_rsa1_keygen() {
|
|
||||||
if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then
|
|
||||||
echo -n $"Generating SSH1 RSA host key: "
|
|
||||||
rm -f $RSA1_KEY
|
|
||||||
if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
|
|
||||||
chgrp ssh_keys $RSA1_KEY
|
|
||||||
chmod 640 $RSA1_KEY
|
|
||||||
chmod 644 $RSA1_KEY.pub
|
|
||||||
if [ -x /sbin/restorecon ]; then
|
|
||||||
/sbin/restorecon $RSA1_KEY{,.pub}
|
|
||||||
fi
|
|
||||||
success $"RSA1 key generation"
|
|
||||||
echo
|
|
||||||
else
|
|
||||||
failure $"RSA1 key generation"
|
|
||||||
echo
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
do_rsa_keygen() {
|
|
||||||
if [ ! -s $RSA_KEY ]; then
|
|
||||||
echo -n $"Generating SSH2 RSA host key: "
|
|
||||||
rm -f $RSA_KEY
|
|
||||||
if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
|
|
||||||
chgrp ssh_keys $RSA_KEY
|
|
||||||
chmod 640 $RSA_KEY
|
|
||||||
chmod 644 $RSA_KEY.pub
|
|
||||||
if [ -x /sbin/restorecon ]; then
|
|
||||||
/sbin/restorecon $RSA_KEY{,.pub}
|
|
||||||
fi
|
|
||||||
success $"RSA key generation"
|
|
||||||
echo
|
|
||||||
else
|
|
||||||
failure $"RSA key generation"
|
|
||||||
echo
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
do_dsa_keygen() {
|
|
||||||
if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then
|
|
||||||
echo -n $"Generating SSH2 DSA host key: "
|
|
||||||
rm -f $DSA_KEY
|
|
||||||
if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
|
|
||||||
chgrp ssh_keys $DSA_KEY
|
|
||||||
chmod 640 $DSA_KEY
|
|
||||||
chmod 644 $DSA_KEY.pub
|
|
||||||
if [ -x /sbin/restorecon ]; then
|
|
||||||
/sbin/restorecon $DSA_KEY{,.pub}
|
|
||||||
fi
|
|
||||||
success $"DSA key generation"
|
|
||||||
echo
|
|
||||||
else
|
|
||||||
failure $"DSA key generation"
|
|
||||||
echo
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
do_ecdsa_keygen() {
|
|
||||||
if [ ! -s $ECDSA_KEY ]; then
|
|
||||||
echo -n $"Generating SSH2 ECDSA host key: "
|
|
||||||
rm -f $ECDSA_KEY
|
|
||||||
if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
|
|
||||||
chgrp ssh_keys $ECDSA_KEY
|
|
||||||
chmod 640 $ECDSA_KEY
|
|
||||||
chmod 644 $ECDSA_KEY.pub
|
|
||||||
if [ -x /sbin/restorecon ]; then
|
|
||||||
/sbin/restorecon $ECDSA_KEY{,.pub}
|
|
||||||
fi
|
|
||||||
success $"ECDSA key generation"
|
|
||||||
echo
|
|
||||||
else
|
|
||||||
failure $"ECDSA key generation"
|
|
||||||
echo
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
do_ed25519_keygen() {
|
|
||||||
if [ ! -s $ED25519_KEY -a `fips_enabled` -eq 0 ]; then
|
|
||||||
echo -n $"Generating SSH2 ED25519 host key: "
|
|
||||||
rm -f $ED25519_KEY
|
|
||||||
if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
|
|
||||||
chgrp ssh_keys $ED25519_KEY
|
|
||||||
chmod 640 $ED25519_KEY
|
|
||||||
chmod 644 $ED25519_KEY.pub
|
|
||||||
if [ -x /sbin/restorecon ]; then
|
|
||||||
/sbin/restorecon $ED25519_KEY{,.pub}
|
|
||||||
fi
|
|
||||||
success $"ED25519 key generation"
|
|
||||||
echo
|
|
||||||
else
|
|
||||||
failure $"ED25519 key generation"
|
|
||||||
echo
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
# legacy options
|
|
||||||
case $AUTOCREATE_SERVER_KEYS in
|
|
||||||
NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;
|
|
||||||
RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";;
|
|
||||||
YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";;
|
|
||||||
esac
|
esac
|
||||||
|
KEY=/etc/ssh/ssh_host_${KEYTYPE}_key
|
||||||
|
|
||||||
for KEY in $AUTOCREATE_SERVER_KEYS; do
|
KEYGEN=/usr/bin/ssh-keygen
|
||||||
case $KEY in
|
if [[ ! -x $KEYGEN ]]; then
|
||||||
DSA) do_dsa_keygen;;
|
exit 13
|
||||||
RSA) do_rsa_keygen;;
|
fi
|
||||||
ECDSA) do_ecdsa_keygen;;
|
|
||||||
ED25519) do_ed25519_keygen;;
|
# remove old keys
|
||||||
esac
|
rm -f $KEY{,.pub}
|
||||||
done
|
|
||||||
|
# create new keys
|
||||||
|
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# sanitize permissions
|
||||||
|
/usr/bin/chgrp ssh_keys $KEY
|
||||||
|
/usr/bin/chmod 640 $KEY
|
||||||
|
/usr/bin/chmod 644 $KEY.pub
|
||||||
|
if [[ -x /usr/sbin/restorecon ]]; then
|
||||||
|
/usr/sbin/restorecon $KEY{,.pub}
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
@ -1,11 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=OpenSSH Server Key Generation
|
|
||||||
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_rsa_key
|
|
||||||
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ecdsa_key
|
|
||||||
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ed25519_key
|
|
||||||
PartOf=sshd.service sshd.socket
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
ExecStart=/usr/sbin/sshd-keygen
|
|
||||||
Type=oneshot
|
|
||||||
RemainAfterExit=yes
|
|
9
sshd-keygen@.service
Normal file
9
sshd-keygen@.service
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=OpenSSH %i Server Key Generation
|
||||||
|
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_%i_key
|
||||||
|
Before=sshd.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
EnvironmentFile=-/etc/sysconfig/sshd
|
||||||
|
ExecStart=/usr/libexec/openssh/sshd-keygen %i
|
@ -2,7 +2,9 @@
|
|||||||
Description=OpenSSH server daemon
|
Description=OpenSSH server daemon
|
||||||
Documentation=man:sshd(8) man:sshd_config(5)
|
Documentation=man:sshd(8) man:sshd_config(5)
|
||||||
After=network.target sshd-keygen.service
|
After=network.target sshd-keygen.service
|
||||||
Wants=sshd-keygen.service
|
Wants=sshd-keygen@rsa.service
|
||||||
|
Wants=sshd-keygen@ecdsa.service
|
||||||
|
Wants=sshd-keygen@ed25519.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=forking
|
Type=forking
|
||||||
|
@ -1,12 +1,8 @@
|
|||||||
# Configuration file for the sshd service.
|
# Configuration file for the sshd service.
|
||||||
|
|
||||||
# The server keys are automatically generated if they are missing.
|
# The server keys are automatically generated if they are missing.
|
||||||
# To change the automatic creation uncomment and change the appropriate
|
# To change the automatic creation, adjust sshd.service options for
|
||||||
# line. Accepted key types are: DSA RSA ECDSA ED25519.
|
# example using systemctl enable sshd-config@dsa.service for DSA keys
|
||||||
# The default is "RSA ECDSA ED25519"
|
|
||||||
|
|
||||||
# AUTOCREATE_SERVER_KEYS=""
|
|
||||||
# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
|
|
||||||
|
|
||||||
# Do not change this option unless you have hardware random
|
# Do not change this option unless you have hardware random
|
||||||
# generator and you REALLY know what you are doing
|
# generator and you REALLY know what you are doing
|
||||||
|
Loading…
Reference in New Issue
Block a user