From: Konstantin Demin <rockdrilla@gmail.com>
Date: Tue, 19 May 2026 13:38:13 +0000 (+0300)
Subject: dropbear: adjust failsafe script
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=04ea7ca42f2addfc2b2b22aecba158e3ce1ef47a;p=thirdparty%2Fopenwrt.git

dropbear: adjust failsafe script

- try to detect supported (hostkey) algorithms; otherwise fallback to predefined list;
- remove size constraint for ECDSA: custom build may include only 384 or 521 bit curves;
- remove size constraint for RSA: default RSA key size is 2048 bits which is sufficient for SSH security recommendations, and previous value of 1024 bits is considered insecure.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/23217
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---

diff --git a/package/network/services/dropbear/files/dropbear.failsafe b/package/network/services/dropbear/files/dropbear.failsafe
index 417265babed..3194b4fbd75 100755
--- a/package/network/services/dropbear/files/dropbear.failsafe
+++ b/package/network/services/dropbear/files/dropbear.failsafe
@@ -1,53 +1,55 @@
 #!/bin/sh
 
-_dropbear()
-{
-	/usr/sbin/dropbear "$@" </dev/null >/dev/null 2>&1
+db_key_quiet() { dropbearkey "$@" </dev/null >/dev/null 2>&1 ; }
+db_key_types_int() {
+	dropbearkey -h </dev/null 2>&1 \
+	| sed -En '/^\s*-t/,/^\s*-/p' \
+	| sed -En '/^\s*-/n;p'
 }
-
-_dropbearkey()
-{
-	/usr/bin/dropbearkey "$@" </dev/null >/dev/null 2>&1
+db_key_types() {
+	normalize_list "$(db_key_types_int)"
 }
 
-_ensurekey()
+db_key_ensure()
 {
-	_dropbearkey -y -f "$1" && return
+	db_key_quiet -y -f "$1" && return
 	rm -f "$1"
-	_dropbearkey -f "$@" || {
+	db_key_quiet -f "$@" || {
 		rm -f "$1"
 		return 1
 	}
 }
 
-ktype_all='ed25519 ecdsa rsa'
+# $1 - list with whitespace-separated elements
+normalize_list()
+{
+	printf '%s' "$1" | tr -s ' \r\n\t' ' ' | sed -E 's/^ //;s/ $//'
+}
+
+failsafe_dropbear() {
+	local ktype_all kargs kcount ktype tkey
 
-failsafe_dropbear () {
-	local kargs kcount ktype tkey
+	# don't hardcode supported algorithm list until things go wrong
+	ktype_all=$(db_key_types)
+	[ -n "${ktype_all}" ] || {
+		echo "dropbear: unable to correctly retrieve supported hostkey algorithms!" >&2
+
+		ktype_all='rsa ecdsa ed25519'
+	}
 
 	kargs=
 	kcount=0
 	for ktype in ${ktype_all} ; do
 		tkey="/tmp/dropbear_failsafe_${ktype}_host_key"
 
-		case "${ktype}" in
-		ed25519) _ensurekey "${tkey}" -t ed25519 ;;
-		ecdsa)   _ensurekey "${tkey}" -t ecdsa -s 256 ;;
-		rsa)     _ensurekey "${tkey}" -t rsa   -s 1024 ;;
-		*)
-			echo "unknown key type: ${ktype}" >&2
-			continue
-		;;
-		esac
-
-		[ -s "${tkey}" ] || {
-			rm -f "${tkey}"
-			continue
-		}
-
-		chmod 0400 "${tkey}"
-		kargs="${kargs}${kargs:+ }-r ${tkey}"
-		kcount=$((kcount+1))
+		db_key_ensure "${tkey}" -t "${ktype}" || :
+		if [ -s "${tkey}" ] ; then
+			chmod 0400 "${tkey}"
+			kargs="${kargs} -r ${tkey}"
+			kcount=$((kcount+1))
+		else
+			rm -f "${tkey}" "${tkey}.pub"
+		fi
 	done
 
 	[ "${kcount}" != 0 ] || {
@@ -55,7 +57,7 @@ failsafe_dropbear () {
 		return 1
 	}
 
-	_dropbear ${kargs}
+	dropbear ${kargs} </dev/null >/dev/null 2>&1
 }
 
 boot_hook_add failsafe failsafe_dropbear