keystored CHANGE generate new SSH hostkey, do not use the OpenSSH one

Fixes #337

Author: michalvasko

keystored/CMakeLists.txt

@@ -131,10 +131,17 @@ endif()
 
 option(SSH_KEY_INSTALL "Enable ssh key import" ON)
 if (SSH_KEY_INSTALL)
+    if (NOT SSH_KEYGEN_EXECUTABLE)
+        find_program(SSH_KEYGEN_EXECUTABLE ssh-keygen)
+    endif()
+    if (NOT SSH_KEYGEN_EXECUTABLE)
+        message(FATAL_ERROR "Unable to find ssh-keygen, set SSH_KEYGEN_EXECUTABLE manually.")
+    endif()
     install(CODE "
         set(ENV{SYSREPOCFG} ${SYSREPOCFG_EXECUTABLE})
         set(ENV{CHMOD} ${CHMOD_EXECUTABLE})
         set(ENV{OPENSSL} ${OPENSSL_EXECUTABLE})
+        set(ENV{SSH_KEYGEN} ${SSH_KEYGEN_EXECUTABLE})
         set(ENV{KEYSTORED_KEYS_DIR} ${KEYSTORED_KEYS_DIR})
         set(ENV{KEYSTORED_CHECK_SSH_KEY} ${KEYSTORED_CHECK_SSH_KEY})
         execute_process(COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/scripts/ssh-key-import.sh)")

keystored/keystored.c

@@ -137,7 +137,7 @@ ks_privkey_get_cb(const char *xpath, sr_val_t **values, size_t *values_cnt, uint
     }
     name += 18;
 
-    if (asprintf(&path, "%s/%.*s.pub.pem", KEYSTORED_KEYS_DIR, (int)(strchr(name, '\'') - name), name) == -1) {
+    if (asprintf(&path, "%s/%.*s.pem.pub", KEYSTORED_KEYS_DIR, (int)(strchr(name, '\'') - name), name) == -1) {
         SRP_LOG_ERR("Memory allocation failed (%s:%d).", __FILE__, __LINE__);
         return SR_ERR_NOMEM;
     }
@@ -337,7 +337,7 @@ ks_privkey_gen_cb(const char *UNUSED(xpath), const sr_node_t *input, const size_
         goto cleanup;
     }
     sprintf(priv_path, "%s/%s.pem", KEYSTORED_KEYS_DIR, input[0].data.string_val);
-    sprintf(pub_path, "%s/%s.pub.pem", KEYSTORED_KEYS_DIR, input[0].data.string_val);
+    sprintf(pub_path, "%s/%s.pem.pub", KEYSTORED_KEYS_DIR, input[0].data.string_val);
 
     if (!(pid = fork())) {
         /* child */
@@ -451,7 +451,7 @@ ks_privkey_load_cb(const char *UNUSED(xpath), const sr_node_t *input, const size
         goto cleanup;
     }
     sprintf(priv_path, "%s/%s.pem", KEYSTORED_KEYS_DIR, input[0].data.string_val);
-    sprintf(pub_path, "%s/%s.pub.pem", KEYSTORED_KEYS_DIR, input[0].data.string_val);
+    sprintf(pub_path, "%s/%s.pem.pub", KEYSTORED_KEYS_DIR, input[0].data.string_val);
 
     fd = open(priv_path, O_CREAT | O_TRUNC | O_WRONLY, 00600);
     if (fd == -1) {

keystored/scripts/ssh-key-import.sh

@@ -9,6 +9,7 @@ local_path=$(dirname $0)
 : ${SYSREPOCFG:=sysrepocfg}
 : ${CHMOD:=chmod}
 : ${OPENSSL:=openssl}
+: ${SSH_KEYGEN:=ssh-keygen}
 : ${STOCK_KEY_CONFIG:=$local_path/../stock_key_config.xml}
 : ${KEYSTORED_KEYS_DIR:=/etc/keystored/keys}
 
@@ -21,13 +22,14 @@ if [ $KEYSTORED_CHECK_SSH_KEY -eq 0 ]; then
     echo "- Warning: Assuming that an external script will provide the SSH key in a PEM format at \"${KEYSTORED_KEYS_DIR}/ssh_host_rsa_key.pem\"."
     echo "- Importing ietf-keystore stock key configuration..."
     $SYSREPOCFG -d startup -i ${STOCK_KEY_CONFIG} ietf-keystore
-elif [ -r /etc/ssh/ssh_host_rsa_key ]; then
-    cp /etc/ssh/ssh_host_rsa_key ${KEYSTORED_KEYS_DIR}/ssh_host_rsa_key.pem
+else
+    if [ -r ${KEYSTORED_KEYS_DIR}/ssh_host_rsa_key.pem -a -r ${KEYSTORED_KEYS_DIR}/ssh_host_rsa_key.pem.pub ]; then
+        echo "- SSH hostkey found, no need to generate a new one."
+    else
+        echo "- SSH hostkey not found, generating a new one..."
+        $SSH_KEYGEN -m pem -t rsa -q -N "" -f ${KEYSTORED_KEYS_DIR}/ssh_host_rsa_key.pem
+    fi
     $CHMOD go-rw ${KEYSTORED_KEYS_DIR}/ssh_host_rsa_key.pem
-    $OPENSSL rsa -pubout -in ${KEYSTORED_KEYS_DIR}/ssh_host_rsa_key.pem \
-        -out ${KEYSTORED_KEYS_DIR}/ssh_host_rsa_key.pub.pem
     echo "- Importing ietf-keystore stock key configuration..."
     $SYSREPOCFG -d startup -i ${STOCK_KEY_CONFIG} ietf-keystore
-else
-    echo "- Warning: Cannot read the SSH hostkey at /etc/ssh/ssh_host_rsa_key, skipping."
 fi