diff options
author | Alexander Dahl <ada@thorsis.com> | 2021-11-05 16:47:34 +0100 |
---|---|---|
committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2021-11-12 10:12:15 +0100 |
commit | ac33521e077e313ad9c67a4ca2c8bf44de34cbc2 (patch) | |
tree | 1b330eaad86b9cf3f9730290ae977130f55f9df0 /projectroot | |
parent | 2e864fb02dbb3733f2ef3808b86364441da364a2 (diff) | |
download | ptxdist-ac33521e077e313ad9c67a4ca2c8bf44de34cbc2.tar.gz ptxdist-ac33521e077e313ad9c67a4ca2c8bf44de34cbc2.tar.xz |
openssh: rc-once: Do not overwrite existing keys
When storing your keys not in rootfs but on a separate data partition
(using symbolic links or overlay fs), keys are overwritten on each
firmware upgrade which lets rc-once run again (which happens when using
opkg upgrade/update or RAUC in an A/B scheme for example).
Changing keys are at best annoying, but may be interpreted as an attack
as well.
Note: if an empty or invalid key is found, the key is still regenerated.
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Message-Id: <20211105154734.19983-9-ada@thorsis.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Diffstat (limited to 'projectroot')
-rw-r--r-- | projectroot/etc/rc.once.d/openssh | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh index 545586f07..717d6457e 100644 --- a/projectroot/etc/rc.once.d/openssh +++ b/projectroot/etc/rc.once.d/openssh @@ -27,6 +27,7 @@ create_keys() { hostkeys="$(get_hostkeys)" || return for keyfile in $hostkeys; do + [ -s "$keyfile" ] && ssh-keygen -l -f "${keyfile}.pub" > /dev/null && continue create_key "$keyfile" || return done } |