Initial commit

Pick a license that matches Debian's openssh package so it could be folded into it.

Initial commit
Pick a license that matches Debian's openssh package so it could be folded into it.
3046e614 · Guido Gunther · 3046e614 · 3046e614 · 3046e614 · 3046e614
Commit 3046e614 authored 6 years ago by Guido Gunther
--- a/.gitignore
+++ b/.gitignore
+debian/.debhelper/
+debian/*.debhelper
+debian/debhelper-build-stamp
+debian/files
+debian/gen-sshd-host-keys/
+debian/gen-sshd-host-keys.substvars
--- a/Makefile
+++ b/Makefile
+SCRIPT=gen-sshd-host-keys
+
+.PHONY: build
+build:
+
+.PHONY: test
+test: $(SCRIPT)
+	shellcheck -x $(SCRIPT)
+
+.PHONY: install
+install:
+	install -D $(SCRIPT) $(DESTDIR)/sbin/$(SCRIPT)
--- a/README.md
+++ b/README.md
+gen-sshd-host-keys
+==================
+
+Script and systemd unit to generate ssh host keys on system boot iff missing.
+This can be useful if machines are setup via cloning. If the master image does
+not ship any ssh host keys the keys are generate on first system boot making
+sure they're unique for each clone. This scenario exists in cloud environments
+as well as on embedded systems.
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594175 for more details.
--- a/debian/README.source
+++ b/debian/README.source
+This package is maintained with git-buildpackage(1). It follows DEP-14
+for branch naming (e.g. using debian/sid for the current version
+in Debian unstable).
+
+The changelog is generated using "gbp dch" so if you submit any
+changes don't bother to add changelog entries but rather provide
+a nice git commit message that can then end up in the changelog.
+
+It is recommended to build the package with pbuilder using:
+
+    gbp buildpackage --git-pbuilder
+
+For information on how to set up a pbuilder environment see the
+git-pbuilder(1) manpage. In short:
+
+    DIST=sid git-pbuilder create
+    gbp clone <project-url>
+    cd <project>
+    gbp buildpackage --git-pbuilder
+
+ -- Guido Günther <agx@sigxcpu.org>, Wed,  2 Dec 2015 18:51:15 +0100
--- a/debian/changelog
+++ b/debian/changelog
+gen-sshd-host-keys (0) unstable; urgency=medium
+
+  * Initial release
+
+ -- Guido Günther <agx@sigxcpu.org>  Wed, 19 Sep 2018 10:12:55 +0200
--- a/debian/compat
+++ b/debian/compat
+11
--- a/debian/control
+++ b/debian/control
+Source: gen-sshd-host-keys
+Section: net
+Priority: optional
+Maintainer: Guido Günther <agx@sigxcpu.org>
+Build-Depends:
+ debhelper (>= 11),
+ shellcheck,
+Standards-Version: 4.2.1
+Vcs-Browser: https://source.puri.sm/Librem5/gen-sshd-host-keys
+Vcs-Git: https://source.puri.sm/Librem5/gen-sshd-host-keys.git
+
+Package: gen-sshd-host-keys
+Architecture: all
+Depends:
+ ${shlibs:Depends},
+ ${misc:Depends},
+ openssh-server, 
+Description: Generate sshd's host keys on boot if missing
+ This package ships a systemd unit that generates host keys for OpenSSH's sshd
+ on system boot. This can be useful if you're using an image based install and
+ wipe the host keys as part of that process.
--- a/debian/copyright
+++ b/debian/copyright
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: gen-sshd-host-keys
+Source: https://source.puri.sm/Librem5/gen-sshd-host-keys.git
+
+Files: *
+Copyright: 2018 Purism SPC
+License: BSD-2-clause
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
--- a/debian/gen-sshd-host-keys.service
+++ b/debian/gen-sshd-host-keys.service
+[Unit]
+Description=Generate OpenSSH daemon host keys service
+ConditionPathExists=/usr/sbin/sshd
+ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+Before=ssh.service
+Before=ssh.socket
+Documentation=https://source.puri.sm/Librem5/gen-ssd-host-keys/README.md
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/gen-sshd-host-keys
+ExecStop=/bin/true
+
+[Install]
+WantedBy=ssh.service
+WantedBy=ssh.socket
--- a/debian/rules
+++ b/debian/rules
+#!/usr/bin/make -f
+# See debhelper(7) (uncomment to enable)
+# output every command that modifies files on the build system.
+#export DH_VERBOSE = 1
+
+%:
+	dh $@
+
+override_dh_installsystemd:
+	# Don't generate keys on package installation
+	dh_installsystemd --no-stop-on-upgrade --no-start
--- a/debian/source/format
+++ b/debian/source/format
+3.0 (native)
--- a/gen-sshd-host-keys
+++ b/gen-sshd-host-keys
+#!/bin/sh
+#
+# Generate missing ssh host keys
+# code copied from openssh-server postinst to address
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594175
+
+set -e
+
+export LC_ALL=C.UTF-8
+
+get_config_option() {
+        option="$1"
+
+        [ -f /etc/ssh/sshd_config ] || return
+
+        # TODO: actually only one '=' allowed after option
+        perl -lne '
+                s/[[:space:]]+/ /g; s/[[:space:]]+$//;
+                print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
+           /etc/ssh/sshd_config
+}
+
+
+host_keys_required() {
+        hostkeys="$(get_config_option HostKey)"
+        if [ "$hostkeys" ]; then
+                echo "$hostkeys"
+        else
+                # No HostKey directives at all, so the server picks some
+                # defaults.
+                echo /etc/ssh/ssh_host_rsa_key
+                echo /etc/ssh/ssh_host_ecdsa_key
+                echo /etc/ssh/ssh_host_ed25519_key
+        fi
+}
+
+create_key() {
+	msg="$1"
+	shift
+	hostkeys="$1"
+	shift
+	file="$1"
+	shift
+
+	if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+	   [ ! -f "$file" ] ; then
+		printf "%s" "$msg"
+		ssh-keygen -q -f "$file" -N '' "$@"
+		echo
+		if which restorecon >/dev/null 2>&1; then
+			restorecon "$file" "$file.pub"
+		fi
+		ssh-keygen -l -f "$file.pub"
+	fi
+}
+
+
+create_keys() {
+	hostkeys="$(host_keys_required)"
+
+	create_key "Creating SSH2 RSA key; this may take some time ..." \
+		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+	create_key "Creating SSH2 DSA key; this may take some time ..." \
+		"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
+	create_key "Creating SSH2 ECDSA key; this may take some time ..." \
+		"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
+	create_key "Creating SSH2 ED25519 key; this may take some time ..." \
+		"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
+}
+
+create_keys