From: Konstantin Demin <rockdrilla@gmail.com>
Date: Tue, 19 May 2026 13:38:13 +0000 (+0300)
Subject: dropbear: rework failsafe script
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=refs%2Fpull%2F23217%2Fhead;p=thirdparty%2Fopenwrt.git

dropbear: rework failsafe script

- generate or use RSA only if none of the modern algorithms (Ed25519, ECDSA) are supported;
- remove size constraints for key size.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/23217
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---

diff --git a/package/network/services/dropbear/files/dropbear.failsafe b/package/network/services/dropbear/files/dropbear.failsafe
index 3194b4fbd75..8074e1dfb98 100755
--- a/package/network/services/dropbear/files/dropbear.failsafe
+++ b/package/network/services/dropbear/files/dropbear.failsafe
@@ -40,6 +40,26 @@ failsafe_dropbear() {
 	kargs=
 	kcount=0
 	for ktype in ${ktype_all} ; do
+		case "${ktype}" in
+		rsa ) ;; # skip (see below)
+		* )
+			tkey="/tmp/dropbear_failsafe_${ktype}_host_key"
+
+			db_key_ensure "${tkey}" -t "${ktype}" || :
+			if [ -s "${tkey}" ] ; then
+				chmod 0400 "${tkey}"
+				kargs="${kargs} -r ${tkey}"
+				kcount=$((kcount+1))
+			else
+				rm -f "${tkey}" "${tkey}.pub"
+			fi
+		;;
+		esac
+	done
+
+	# use RSA only if none of the modern algorithms is supported
+	if [ "${kcount}" = 0 ] ; then
+		ktype=rsa
 		tkey="/tmp/dropbear_failsafe_${ktype}_host_key"
 
 		db_key_ensure "${tkey}" -t "${ktype}" || :
@@ -50,7 +70,7 @@ failsafe_dropbear() {
 		else
 			rm -f "${tkey}" "${tkey}.pub"
 		fi
-	done
+	fi
 
 	[ "${kcount}" != 0 ] || {
 		echo 'DROPBEAR IS BROKEN' >&2