confd: fix SSH host key generation warnings

troglobit · troglobit · commit a6a4e1e2308f · 2025-12-01T13:39:31.000+01:00
Fix PEM file reconstruction issues that caused "unrecognised raw private key format" errors during system boot: 1. Fix base64 content formatting with proper 64-character line wrapping using printf+fold instead of echo 2. Use generic PKCS#8 headers (BEGIN PRIVATE KEY) instead of PKCS#1 RSA-specific headers, maintaining support for future key types like ECDSA 3. Update ssh-keygen format flag to PKCS8 for correct conversion 4. Skip gen_hostkey() when keys are empty to prevent invalid PEM import attempts Fixes #1289 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
diff --git a/board/common/rootfs/usr/libexec/infix/mkkeys b/board/common/rootfs/usr/libexec/infix/mkkeys
@@ -8,7 +8,8 @@ PUB=$2
 
 mkdir -p "$(dirname "$KEY")" "$(dirname "$PUB")"
 
+# openssl genpkey -quiet -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -outform PEM
 openssl genpkey -quiet -algorithm RSA -pkeyopt rsa_keygen_bits:$BIT -outform PEM > "$KEY"
-openssl rsa -RSAPublicKey_out < "$KEY" > "$PUB"
+openssl pkey -pubout < "$KEY" 2>/dev/null > "$PUB"
 
 exit 0
diff --git a/board/common/rootfs/usr/libexec/infix/mksshkey b/board/common/rootfs/usr/libexec/infix/mksshkey
@@ -1,24 +1,29 @@
-#!/bin/bash
-# Store and convert RSA PUBLIC/PRIVATE KEYs to be able to use them in
-# OpenSSHd.
+#!/bin/sh
+# Generate OpenSSH host key pair from same keys as NETCONF
 set -e
+umask 0077
 
 NAME="$1"
 DIR="$2"
 PUBLIC="$3"
 PRIVATE="$4"
 TMP="$(mktemp)"
 
-echo -e '-----BEGIN RSA PRIVATE KEY-----' > "$DIR/$NAME"
-echo "$PRIVATE" >> "$DIR/$NAME"
-echo -e '-----END RSA PRIVATE KEY-----' >> "$DIR/$NAME"
+{
+	echo '-----BEGIN PRIVATE KEY-----'
+	printf '%s\n' "$PRIVATE" | fold -w 64
+	echo '-----END PRIVATE KEY-----'
+} > "$DIR/$NAME"
 
-echo -e "-----BEGIN RSA PUBLIC KEY-----" > "$TMP"
-echo -e "$PUBLIC" >> "$TMP"
-echo -e "-----END RSA PUBLIC KEY-----" >> "$TMP"
+{
+	echo "-----BEGIN PUBLIC KEY-----"
+	printf '%s\n' "$PUBLIC" | fold -w 64
+	echo "-----END PUBLIC KEY-----"
+} > "$TMP"
 
-ssh-keygen -i -m PKCS8 -f "$TMP" > "$DIR/$NAME.pub"
+ssh-keygen -i -f "$TMP" -m PKCS8 > "$DIR/$NAME.pub"
 rm "$TMP"
+
 chmod 0600 "$DIR/$NAME.pub"
 chmod 0600 "$DIR/$NAME"
 chown sshd:sshd "$DIR/$NAME.pub"
diff --git a/doc/ChangeLog.md b/doc/ChangeLog.md
@@ -3,7 +3,7 @@ Change Log
 
 All notable changes to the project are documented in this file.
 
-[v25.11.0][] - 2025-11-28
+[v25.11.0][UNRELEASED]
 -------------------------
 
 > [!NOTE]
@@ -79,6 +79,7 @@ All notable changes to the project are documented in this file.
   existing invalid configurations are automatically corrected during upgrade
 - Fix #1255: serious regression in boot time, introduced in v25.10, delays the
   boot step "Mounting filesystems ...", from 30 seconds up to five minutes!
+- Fix #1289: SSH host key generation warning at boot after factory reset
 - Fix broken intra-document links in container and tunnel documentation
 
 [latest-boot]: https://github.com/kernelkit/infix/releases/latest-boot
diff --git a/src/confd/src/keystore.c b/src/confd/src/keystore.c
@@ -64,7 +64,8 @@ static int gen_hostkey(const char *name, struct lyd_node *change)
 		rc = SR_ERR_INTERNAL;
 	}
 
-	if (systemf("/usr/libexec/infix/mksshkey %s %s %s %s", name, SSH_HOSTKEYS_NEXT, public_key, private_key))
+	if (systemf("/usr/libexec/infix/mksshkey %s %s %s %s", name,
+		    SSH_HOSTKEYS_NEXT, public_key, private_key))
 		rc = SR_ERR_INTERNAL;
 
 	return rc;
@@ -156,7 +157,7 @@ static int keystore_update(sr_session_ctx_t *session, struct lyd_node *config, s
 }
 
 int keystore_change(sr_session_ctx_t *session, struct lyd_node *config, struct lyd_node *diff,
-			 sr_event_t event, struct confd *confd)
+		    sr_event_t event, struct confd *confd)
 {
 	struct lyd_node *changes, *change;
 	int rc = SR_ERR_OK;
@@ -189,6 +190,7 @@ int keystore_change(sr_session_ctx_t *session, struct lyd_node *config, struct l
 	changes = lydx_get_descendant(config, "keystore", "asymmetric-keys", "asymmetric-key", NULL);
 	LYX_LIST_FOR_EACH(changes, change, "asymmetric-key") {
 		const char *name = lydx_get_cattr(change, "name");
+		const char *private_key, *public_key;
 		const char *type;
 
 		type = lydx_get_cattr(change, "private-key-format");
@@ -203,6 +205,12 @@ int keystore_change(sr_session_ctx_t *session, struct lyd_node *config, struct l
 			continue;
 		}
 
+		/* Only generate hostkey if both keys exist */
+		private_key = lydx_get_cattr(change, "cleartext-private-key");
+		public_key = lydx_get_cattr(change, "public-key");
+		if (!private_key || !public_key || !*private_key || !*public_key)
+			continue;
+
 		gen_hostkey(name, change);
 	}
 
