opendev/gerrit
Code Issues Proposed changes

InitSshd: Generate ecdsa and ed25519 keys if the host supports them

Browse Source 
Change-Id: Iad0fdea4f2acb97207d553ed30fdfbf9b0d83067
This commit is contained in:
Paladox none
2017-05-07 11:04:27 +00:00
committed by David Pursehouse
parent 6a7bf29e8d
commit c3319bf15e
3 changed files with 104 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
gerrit-pgm/src/main/java/com/google/gerrit/pgm/init/InitSshd.java
View File

@@ -86,9 +86,9 @@ class InitSshd implements InitStep {
} }
private void generateSshHostKeys() throws InterruptedException, IOException { private void generateSshHostKeys() throws InterruptedException, IOException {
if (!exists(site.ssh_key) // if (!exists(site.ssh_key) && !exists(site.ssh_rsa) && !exists(site.ssh_dsa)
&& !exists(site.ssh_rsa) // || !exists(site.ssh_ed25519)
&& !exists(site.ssh_dsa)) { || !exists(site.ssh_ecdsa)) {
System.err.print("Generating SSH host key ..."); System.err.print("Generating SSH host key ...");
System.err.flush(); System.err.flush();
@@ -99,43 +99,97 @@ class InitSshd implements InitStep {
// Workaround for JDK-6518827 - zero-length argument ignored on Win32 // Workaround for JDK-6518827 - zero-length argument ignored on Win32
String emptyPassphraseArg = HostPlatform.isWin32() ? "\"\"" : ""; String emptyPassphraseArg = HostPlatform.isWin32() ? "\"\"" : "";
if (!exists(site.ssh_rsa)) {
System.err.print(" rsa...");
System.err.flush();
new ProcessBuilder(
"ssh-keygen",
"-q" /* quiet */,
"-t",
"rsa",
"-P",
emptyPassphraseArg,
"-C",
comment,
"-f",
site.ssh_rsa.toAbsolutePath().toString())
.redirectError(Redirect.INHERIT)
.redirectOutput(Redirect.INHERIT)
.start()
.waitFor();
}
System.err.print(" rsa..."); if (!exists(site.ssh_dsa)) {
System.err.flush(); System.err.print(" dsa...");
new ProcessBuilder( System.err.flush();
"ssh-keygen", new ProcessBuilder(
"-q" /* quiet */, "ssh-keygen",
"-t", "-q" /* quiet */,
"rsa", "-t",
"-P", "dsa",
emptyPassphraseArg, "-P",
"-C", emptyPassphraseArg,
comment, "-C",
"-f", comment,
site.ssh_rsa.toAbsolutePath().toString()) "-f",
.redirectError(Redirect.INHERIT) site.ssh_dsa.toAbsolutePath().toString())
.redirectOutput(Redirect.INHERIT) .redirectError(Redirect.INHERIT)
.start() .redirectOutput(Redirect.INHERIT)
.waitFor(); .start()
.waitFor();
}
System.err.print(" dsa..."); if (!exists(site.ssh_ed25519)) {
System.err.flush(); System.err.print(" ed25519...");
new ProcessBuilder( System.err.flush();
"ssh-keygen", try {
"-q" /* quiet */, new ProcessBuilder(
"-t", "ssh-keygen",
"dsa", "-q" /* quiet */,
"-P", "-t",
emptyPassphraseArg, "ed25519",
"-C", "-P",
comment, emptyPassphraseArg,
"-f", "-C",
site.ssh_dsa.toAbsolutePath().toString()) comment,
.redirectError(Redirect.INHERIT) "-f",
.redirectOutput(Redirect.INHERIT) site.ssh_ed25519.toAbsolutePath().toString())
.start() .redirectError(Redirect.INHERIT)
.waitFor(); .redirectOutput(Redirect.INHERIT)
.start()
.waitFor();
} catch (Exception e) {
// continue since older hosts won't be able to generate ed25519 keys.
System.err.print(" Failed to generate ed25519 key, continuing...");
System.err.flush();
}
}
if (!exists(site.ssh_ecdsa)) {
System.err.print(" ecdsa...");
System.err.flush();
try {
new ProcessBuilder(
"ssh-keygen",
"-q" /* quiet */,
"-t",
"ecdsa",
"-P",
emptyPassphraseArg,
"-C",
comment,
"-f",
site.ssh_ecdsa.toAbsolutePath().toString())
.redirectError(Redirect.INHERIT)
.redirectOutput(Redirect.INHERIT)
.start()
.waitFor();
} catch (Exception e) {
// continue since older hosts won't be able to generate ecdsa keys.
System.err.print(" Failed to generate ecdsa key, continuing...");
System.err.flush();
}
}
} else { } else {
// Generate the SSH daemon host key ourselves. This is complex // Generate the SSH daemon host key ourselves. This is complex
// because SimpleGeneratorHostKeyProvider doesn't mark the data // because SimpleGeneratorHostKeyProvider doesn't mark the data

4
gerrit-server/src/main/java/com/google/gerrit/server/config/SitePaths.java
View File

@@ -57,6 +57,8 @@ public final class SitePaths {
public final Path ssh_key; public final Path ssh_key;
public final Path ssh_rsa; public final Path ssh_rsa;
public final Path ssh_dsa; public final Path ssh_dsa;
public final Path ssh_ecdsa;
public final Path ssh_ed25519;
public final Path peer_keys; public final Path peer_keys;
public final Path site_css; public final Path site_css;
@@ -98,6 +100,8 @@ public final class SitePaths {
ssh_key = etc_dir.resolve("ssh_host_key"); ssh_key = etc_dir.resolve("ssh_host_key");
ssh_rsa = etc_dir.resolve("ssh_host_rsa_key"); ssh_rsa = etc_dir.resolve("ssh_host_rsa_key");
ssh_dsa = etc_dir.resolve("ssh_host_dsa_key"); ssh_dsa = etc_dir.resolve("ssh_host_dsa_key");
ssh_ecdsa = etc_dir.resolve("ssh_host_ecdsa_key");
ssh_ed25519 = etc_dir.resolve("ssh_host_ed25519_key");
peer_keys = etc_dir.resolve("peer_keys"); peer_keys = etc_dir.resolve("peer_keys");
site_css = etc_dir.resolve(CSS_FILENAME); site_css = etc_dir.resolve(CSS_FILENAME);

10
gerrit-sshd/src/main/java/com/google/gerrit/sshd/HostKeyProvider.java
View File

@@ -41,14 +41,22 @@ class HostKeyProvider implements Provider<KeyPairProvider> {
Path objKey = site.ssh_key; Path objKey = site.ssh_key;
Path rsaKey = site.ssh_rsa; Path rsaKey = site.ssh_rsa;
Path dsaKey = site.ssh_dsa; Path dsaKey = site.ssh_dsa;
Path ecdsaKey = site.ssh_ecdsa;
Path ed25519Key = site.ssh_ed25519;
final List<File> stdKeys = new ArrayList<>(2); final List<File> stdKeys = new ArrayList<>(4);
if (Files.exists(rsaKey)) { if (Files.exists(rsaKey)) {
stdKeys.add(rsaKey.toAbsolutePath().toFile()); stdKeys.add(rsaKey.toAbsolutePath().toFile());
} }
if (Files.exists(dsaKey)) { if (Files.exists(dsaKey)) {
stdKeys.add(dsaKey.toAbsolutePath().toFile()); stdKeys.add(dsaKey.toAbsolutePath().toFile());
} }
if (Files.exists(ecdsaKey)) {
stdKeys.add(ecdsaKey.toAbsolutePath().toFile());
}
if (Files.exists(ed25519Key)) {
stdKeys.add(ed25519Key.toAbsolutePath().toFile());
}
if (Files.exists(objKey)) { if (Files.exists(objKey)) {
if (stdKeys.isEmpty()) { if (stdKeys.isEmpty()) {