From: Rasmus Villemoes Date: Fri, 29 Sep 2023 08:43:15 +0000 (+0200) Subject: openssh: update sshd_check_keys script to make use of 'sshd -G' X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd27f9d869b8aa28dfb18de037a24ab0ec735718;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git openssh: update sshd_check_keys script to make use of 'sshd -G' Parsing sshd's config file with 'sed' does not work in for example the case where somebody has made use of the new ability to add a config fragment in /etc/ssh/sshd_config.d/ with one or more HostKey stanzas. Also, sshd_config keywords are case-insensitive, but the current sed pattern only matches the CamelCase spelling of HostKey. In openssh 9.3, sshd learnt a new command line flag '-G', which causes sshd to parse the given configuration file and print the resulting effective configuration on stdout. So use that instead. Furthermore, since that "effective configuration" includes the default set of host keys if the configuration file has no HostKey stanzas, we also avoid the script needing to know what sshd's default is - that could plausibly change with some future release. Signed-off-by: Rasmus Villemoes Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie --- diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys index ef117de897f..606d1894b55 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys +++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys @@ -57,8 +57,7 @@ while true ; do esac done -HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}") -[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key" +HOST_KEYS=$(sshd -G -f "${sshd_config}" | grep -i '^hostkey ' | cut -f2 -d' ') for key in ${HOST_KEYS} ; do [ -f $key ] && continue