Skip to content

Commit 6c9d6af

Browse files
committed
Improve support when running under FIPS mode.
- Multiple host keys are generated to support as many clients - Under FIPS mode, certain key algorithms/lengths may fail to be generated with ssh-keygen - Allow the sshd.start script to continue despite the failures - Remove DSA key generation as it is not included in SSHD HostKey config Signed-off-by: Roland Grunberg <rgrunber@redhat.com>
1 parent 59455f3 commit 6c9d6af

2 files changed

Lines changed: 11 additions & 10 deletions

File tree

build/scripts/code-sshd-page/server.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ const server = http.createServer((req, res) => {
3737

3838
let genKey = "PRIVATE KEY NOT FOUND";
3939
try {
40-
genKey = fs.readFileSync(`/sshd/ssh_client_ed25519_key`, 'utf8');
40+
genKey = fs.readFileSync(`/sshd/ssh_client_key`, 'utf8');
4141
} catch (err) {
4242
// continue
4343
}
@@ -113,7 +113,7 @@ const server = http.createServer((req, res) => {
113113
HostName 127.0.0.1
114114
User ${username}
115115
Port 2022
116-
IdentityFile "$\{HOME\}/.ssh/ssh_client_ed25519_key"
116+
IdentityFile "$\{HOME\}/.ssh/ssh_client_key"
117117
UserKnownHostsFile /dev/null</pre>
118118
</div>
119119
<div class="clipboard">
@@ -126,7 +126,7 @@ const server = http.createServer((req, res) => {
126126
</div>
127127
</div>
128128
<p>
129-
Where <code class="path">$\{HOME\}/.ssh/ssh_client_ed25519_key</code> should be replaced by the absolute path to the private key file on your local system.
129+
Where <code class="path">$\{HOME\}/.ssh/ssh_client_key</code> should be replaced by the absolute path to the private key file on your local system.
130130
</p>
131131
</li>
132132
</ol>

build/scripts/sshd.start

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -79,11 +79,10 @@ fi
7979
mkdir /var/tmp/ssh
8080
chmod 755 /var/tmp/ssh
8181

82-
# Generate SSH Host keys
83-
$sshd_libdir/ssh-keygen -q -N "" -t dsa -f /var/tmp/ssh/ssh_host_dsa_key && \
84-
$sshd_libdir/ssh-keygen -q -N "" -t rsa -b 4096 -f /var/tmp/ssh/ssh_host_rsa_key && \
85-
$sshd_libdir/ssh-keygen -q -N "" -t ecdsa -f /var/tmp/ssh/ssh_host_ecdsa_key && \
86-
$sshd_libdir/ssh-keygen -q -N "" -t ed25519 -f /var/tmp/ssh/ssh_host_ed25519_key
82+
echo 'Generating SSH host keys ..'
83+
$sshd_libdir/ssh-keygen -q -N "" -t rsa -b 4096 -f /var/tmp/ssh/ssh_host_rsa_key || true
84+
$sshd_libdir/ssh-keygen -q -N "" -t ecdsa -f /var/tmp/ssh/ssh_host_ecdsa_key || true
85+
$sshd_libdir/ssh-keygen -q -N "" -t ed25519 -f /var/tmp/ssh/ssh_host_ed25519_key || true
8786

8887
# Ensure appropriate permissions
8988
chmod 600 /var/tmp/ssh/ssh_host_* /sshd/sshd_config
@@ -107,10 +106,12 @@ sed -i \
107106
# Use keys that have been configured, and generate them otherwise
108107
mkdir -p $HOME/.ssh
109108
if [ -f /etc/ssh/dwo_ssh_key.pub ]; then
109+
echo 'Using pre-configured SSH client key.'
110110
cp /etc/ssh/dwo_ssh_key.pub $HOME/.ssh/authorized_keys
111111
else
112-
$sshd_libdir/ssh-keygen -q -N '' -t ed25519 -f /sshd/ssh_client_ed25519_key
113-
cp /sshd/ssh_client_ed25519_key.pub $HOME/.ssh/authorized_keys
112+
echo 'Generating SSH client key..'
113+
$sshd_libdir/ssh-keygen -q -N '' -t ecdsa -f /sshd/ssh_client_key
114+
cp /sshd/ssh_client_key.pub $HOME/.ssh/authorized_keys
114115
fi
115116

116117
cp /sshd/sshd_config /var/tmp/ssh/

0 commit comments

Comments
 (0)