InitSshd: Generate ecdsa and ed25519 keys if the host supports them
Change-Id: Iad0fdea4f2acb97207d553ed30fdfbf9b0d83067
This commit is contained in:
Paladox none
committed by
David Pursehouse
David Pursehouse
parent
6a7bf29e8d
commit
c3319bf15e
@@ -86,9 +86,9 @@ class InitSshd implements InitStep {
|
||||
}
|
||||
|
||||
private void generateSshHostKeys() throws InterruptedException, IOException {
|
||||
if (!exists(site.ssh_key) //
|
||||
&& !exists(site.ssh_rsa) //
|
||||
&& !exists(site.ssh_dsa)) {
|
||||
if (!exists(site.ssh_key) && !exists(site.ssh_rsa) && !exists(site.ssh_dsa)
|
||||
|| !exists(site.ssh_ed25519)
|
||||
|| !exists(site.ssh_ecdsa)) {
|
||||
System.err.print("Generating SSH host key ...");
|
||||
System.err.flush();
|
||||
|
||||
@@ -99,43 +99,97 @@ class InitSshd implements InitStep {
|
||||
|
||||
// Workaround for JDK-6518827 - zero-length argument ignored on Win32
|
||||
String emptyPassphraseArg = HostPlatform.isWin32() ? "\"\"" : "";
|
||||
if (!exists(site.ssh_rsa)) {
|
||||
System.err.print(" rsa...");
|
||||
System.err.flush();
|
||||
new ProcessBuilder(
|
||||
"ssh-keygen",
|
||||
"-q" /* quiet */,
|
||||
"-t",
|
||||
"rsa",
|
||||
"-P",
|
||||
emptyPassphraseArg,
|
||||
"-C",
|
||||
comment,
|
||||
"-f",
|
||||
site.ssh_rsa.toAbsolutePath().toString())
|
||||
.redirectError(Redirect.INHERIT)
|
||||
.redirectOutput(Redirect.INHERIT)
|
||||
.start()
|
||||
.waitFor();
|
||||
}
|
||||
|
||||
System.err.print(" rsa...");
|
||||
System.err.flush();
|
||||
new ProcessBuilder(
|
||||
"ssh-keygen",
|
||||
"-q" /* quiet */,
|
||||
"-t",
|
||||
"rsa",
|
||||
"-P",
|
||||
emptyPassphraseArg,
|
||||
"-C",
|
||||
comment,
|
||||
"-f",
|
||||
site.ssh_rsa.toAbsolutePath().toString())
|
||||
.redirectError(Redirect.INHERIT)
|
||||
.redirectOutput(Redirect.INHERIT)
|
||||
.start()
|
||||
.waitFor();
|
||||
if (!exists(site.ssh_dsa)) {
|
||||
System.err.print(" dsa...");
|
||||
System.err.flush();
|
||||
new ProcessBuilder(
|
||||
"ssh-keygen",
|
||||
"-q" /* quiet */,
|
||||
"-t",
|
||||
"dsa",
|
||||
"-P",
|
||||
emptyPassphraseArg,
|
||||
"-C",
|
||||
comment,
|
||||
"-f",
|
||||
site.ssh_dsa.toAbsolutePath().toString())
|
||||
.redirectError(Redirect.INHERIT)
|
||||
.redirectOutput(Redirect.INHERIT)
|
||||
.start()
|
||||
.waitFor();
|
||||
}
|
||||
|
||||
System.err.print(" dsa...");
|
||||
System.err.flush();
|
||||
new ProcessBuilder(
|
||||
"ssh-keygen",
|
||||
"-q" /* quiet */,
|
||||
"-t",
|
||||
"dsa",
|
||||
"-P",
|
||||
emptyPassphraseArg,
|
||||
"-C",
|
||||
comment,
|
||||
"-f",
|
||||
site.ssh_dsa.toAbsolutePath().toString())
|
||||
.redirectError(Redirect.INHERIT)
|
||||
.redirectOutput(Redirect.INHERIT)
|
||||
.start()
|
||||
.waitFor();
|
||||
if (!exists(site.ssh_ed25519)) {
|
||||
System.err.print(" ed25519...");
|
||||
System.err.flush();
|
||||
try {
|
||||
new ProcessBuilder(
|
||||
"ssh-keygen",
|
||||
"-q" /* quiet */,
|
||||
"-t",
|
||||
"ed25519",
|
||||
"-P",
|
||||
emptyPassphraseArg,
|
||||
"-C",
|
||||
comment,
|
||||
"-f",
|
||||
site.ssh_ed25519.toAbsolutePath().toString())
|
||||
.redirectError(Redirect.INHERIT)
|
||||
.redirectOutput(Redirect.INHERIT)
|
||||
.start()
|
||||
.waitFor();
|
||||
} catch (Exception e) {
|
||||
// continue since older hosts won't be able to generate ed25519 keys.
|
||||
System.err.print(" Failed to generate ed25519 key, continuing...");
|
||||
System.err.flush();
|
||||
}
|
||||
}
|
||||
|
||||
if (!exists(site.ssh_ecdsa)) {
|
||||
System.err.print(" ecdsa...");
|
||||
System.err.flush();
|
||||
try {
|
||||
new ProcessBuilder(
|
||||
"ssh-keygen",
|
||||
"-q" /* quiet */,
|
||||
"-t",
|
||||
"ecdsa",
|
||||
"-P",
|
||||
emptyPassphraseArg,
|
||||
"-C",
|
||||
comment,
|
||||
"-f",
|
||||
site.ssh_ecdsa.toAbsolutePath().toString())
|
||||
.redirectError(Redirect.INHERIT)
|
||||
.redirectOutput(Redirect.INHERIT)
|
||||
.start()
|
||||
.waitFor();
|
||||
} catch (Exception e) {
|
||||
// continue since older hosts won't be able to generate ecdsa keys.
|
||||
System.err.print(" Failed to generate ecdsa key, continuing...");
|
||||
System.err.flush();
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// Generate the SSH daemon host key ourselves. This is complex
|
||||
// because SimpleGeneratorHostKeyProvider doesn't mark the data
|
||||
|
||||
@@ -57,6 +57,8 @@ public final class SitePaths {
|
||||
public final Path ssh_key;
|
||||
public final Path ssh_rsa;
|
||||
public final Path ssh_dsa;
|
||||
public final Path ssh_ecdsa;
|
||||
public final Path ssh_ed25519;
|
||||
public final Path peer_keys;
|
||||
|
||||
public final Path site_css;
|
||||
@@ -98,6 +100,8 @@ public final class SitePaths {
|
||||
ssh_key = etc_dir.resolve("ssh_host_key");
|
||||
ssh_rsa = etc_dir.resolve("ssh_host_rsa_key");
|
||||
ssh_dsa = etc_dir.resolve("ssh_host_dsa_key");
|
||||
ssh_ecdsa = etc_dir.resolve("ssh_host_ecdsa_key");
|
||||
ssh_ed25519 = etc_dir.resolve("ssh_host_ed25519_key");
|
||||
peer_keys = etc_dir.resolve("peer_keys");
|
||||
|
||||
site_css = etc_dir.resolve(CSS_FILENAME);
|
||||
|
||||
@@ -41,14 +41,22 @@ class HostKeyProvider implements Provider<KeyPairProvider> {
|
||||
Path objKey = site.ssh_key;
|
||||
Path rsaKey = site.ssh_rsa;
|
||||
Path dsaKey = site.ssh_dsa;
|
||||
Path ecdsaKey = site.ssh_ecdsa;
|
||||
Path ed25519Key = site.ssh_ed25519;
|
||||
|
||||
final List<File> stdKeys = new ArrayList<>(2);
|
||||
final List<File> stdKeys = new ArrayList<>(4);
|
||||
if (Files.exists(rsaKey)) {
|
||||
stdKeys.add(rsaKey.toAbsolutePath().toFile());
|
||||
}
|
||||
if (Files.exists(dsaKey)) {
|
||||
stdKeys.add(dsaKey.toAbsolutePath().toFile());
|
||||
}
|
||||
if (Files.exists(ecdsaKey)) {
|
||||
stdKeys.add(ecdsaKey.toAbsolutePath().toFile());
|
||||
}
|
||||
if (Files.exists(ed25519Key)) {
|
||||
stdKeys.add(ed25519Key.toAbsolutePath().toFile());
|
||||
}
|
||||
|
||||
if (Files.exists(objKey)) {
|
||||
if (stdKeys.isEmpty()) {
|
||||
|
||||
Reference in New Issue
Block a user