openssh: only create sshd host keys which have been enabled

Previously sshd_check_keys would create a full set of all possible sshd host keys, even if sshd_config has been set to only enable certain key types. Update sshd_check_keys to only create keys which have been enabled in sshd_config (with a fallback to creating a full set of key types if no HostKey options are defined, as before). (From OE-Core rev: 2303d795ae96f1a60caf145a0ddf100e89c4b5b0) Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-05-30 12:29:55 +00:00 · 2018-06-07 11:48:39 -07:00
parent 958fd9e6f9
commit 05881bbf35
1 changed files with 19 additions and 23 deletions
@@ -56,27 +56,23 @@ while true ; do
    esac
 done
-# parse location of keys
+HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}")
-HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
+[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
 [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
 [ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
 HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
 [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
 [ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
 HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
 [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
 [ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
-# create keys if necessary
+for key in ${HOST_KEYS} ; do
-if [ ! -f $HOST_KEY_RSA ]; then
+    [ -f $key ] && continue
-    echo "  generating ssh RSA key..."
+    case $key in
-    generate_key $HOST_KEY_RSA rsa
+    *_rsa_key)
-fi
+        echo "  generating ssh RSA host key..."
-if [ ! -f $HOST_KEY_ECDSA ]; then
+        generate_key $key rsa
-    echo "  generating ssh ECDSA key..."
+        ;;
-    generate_key $HOST_KEY_ECDSA ecdsa
+    *_ecdsa_key)
-fi
+        echo "  generating ssh ECDSA host key..."
-if [ ! -f $HOST_KEY_ED25519 ]; then
+        generate_key $key ecdsa
-    echo "  generating ssh ED25519 key..."
+        ;;
-    generate_key $HOST_KEY_ED25519 ed25519
+    *_ed25519_key)
-fi
+        echo "  generating ssh ED25519 host key..."
        generate_key $key ed25519
        ;;
    esac
 done