dropbear: rework failsafe script

- generate or use RSA only if none of the modern algorithms (Ed25519, ECDSA) are supported;
- remove size constraints for key size.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/23217
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

diff --git a/package/network/services/dropbear/files/dropbear.failsafe b/package/network/services/dropbear/files/dropbear.failsafe
index 3194b4fbd75fcf31189c14e864ad5949caafa7b7..8074e1dfb98a75006eb703227c7e6499573a7943 100755 (executable)
--- a/package/network/services/dropbear/files/dropbear.failsafe
+++ b/package/network/services/dropbear/files/dropbear.failsafe
@@ -40,6 +40,26 @@ failsafe_dropbear() {
        kargs=
        kcount=0
        for ktype in ${ktype_all} ; do
+               case "${ktype}" in
+               rsa ) ;; # skip (see below)
+               * )
+                       tkey="/tmp/dropbear_failsafe_${ktype}_host_key"
+
+                       db_key_ensure "${tkey}" -t "${ktype}" || :
+                       if [ -s "${tkey}" ] ; then
+                               chmod 0400 "${tkey}"
+                               kargs="${kargs} -r ${tkey}"
+                               kcount=$((kcount+1))
+                       else
+                               rm -f "${tkey}" "${tkey}.pub"
+                       fi
+               ;;
+               esac
+       done
+
+       # use RSA only if none of the modern algorithms is supported
+       if [ "${kcount}" = 0 ] ; then
+               ktype=rsa
                tkey="/tmp/dropbear_failsafe_${ktype}_host_key"
 
                db_key_ensure "${tkey}" -t "${ktype}" || :
@@ -50,7 +70,7 @@ failsafe_dropbear() {
                else
                        rm -f "${tkey}" "${tkey}.pub"
                fi
-       done
+       fi
 
        [ "${kcount}" != 0 ] || {
                echo 'DROPBEAR IS BROKEN' >&2