Merge pull request #1290 from kernelkit/hostkey-warning

troglobit · web-flow · commit cd0a5f306375 · 2025-12-02T10:59:57.000+01:00
Fix SSH host key generation warnings
diff --git a/board/common/rootfs/usr/libexec/infix/mkkeys b/board/common/rootfs/usr/libexec/infix/mkkeys
@@ -8,7 +8,8 @@ PUB=$2
 
 mkdir -p "$(dirname "$KEY")" "$(dirname "$PUB")"
 
+# openssl genpkey -quiet -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -outform PEM
 openssl genpkey -quiet -algorithm RSA -pkeyopt rsa_keygen_bits:$BIT -outform PEM > "$KEY"
-openssl rsa -RSAPublicKey_out < "$KEY" > "$PUB"
+openssl rsa -RSAPublicKey_out < "$KEY" 2>/dev/null > "$PUB"
 
 exit 0
diff --git a/board/common/rootfs/usr/libexec/infix/mksshkey b/board/common/rootfs/usr/libexec/infix/mksshkey
@@ -1,24 +1,29 @@
-#!/bin/bash
-# Store and convert RSA PUBLIC/PRIVATE KEYs to be able to use them in
-# OpenSSHd.
+#!/bin/sh
+# Generate OpenSSH host key pair from same keys as NETCONF
 set -e
+umask 0077
 
 NAME="$1"
 DIR="$2"
 PUBLIC="$3"
 PRIVATE="$4"
 TMP="$(mktemp)"
 
-echo -e '-----BEGIN RSA PRIVATE KEY-----' > "$DIR/$NAME"
-echo "$PRIVATE" >> "$DIR/$NAME"
-echo -e '-----END RSA PRIVATE KEY-----' >> "$DIR/$NAME"
+{
+	echo '-----BEGIN PRIVATE KEY-----'
+	printf '%s\n' "$PRIVATE" | fold -w 64
+	echo '-----END PRIVATE KEY-----'
+} > "$DIR/$NAME"
 
-echo -e "-----BEGIN RSA PUBLIC KEY-----" > "$TMP"
-echo -e "$PUBLIC" >> "$TMP"
-echo -e "-----END RSA PUBLIC KEY-----" >> "$TMP"
+{
+	echo "-----BEGIN RSA PUBLIC KEY-----"
+	printf '%s\n' "$PUBLIC" | fold -w 64
+	echo "-----END RSA PUBLIC KEY-----"
+} > "$TMP"
 
-ssh-keygen -i -m PKCS8 -f "$TMP" > "$DIR/$NAME.pub"
+ssh-keygen -i -f "$TMP" -m PKCS8 > "$DIR/$NAME.pub"
 rm "$TMP"
+
 chmod 0600 "$DIR/$NAME.pub"
 chmod 0600 "$DIR/$NAME"
 chown sshd:sshd "$DIR/$NAME.pub"
diff --git a/doc/ChangeLog.md b/doc/ChangeLog.md
@@ -3,7 +3,7 @@ Change Log
 
 All notable changes to the project are documented in this file.
 
-[v25.11.0][] - 2025-11-28
+[v25.11.0][UNRELEASED]
 -------------------------
 
 > [!NOTE]
@@ -82,6 +82,7 @@ All notable changes to the project are documented in this file.
   existing invalid configurations are automatically corrected during upgrade
 - Fix #1255: serious regression in boot time, introduced in v25.10, delays the
   boot step "Mounting filesystems ...", from 30 seconds up to five minutes!
+- Fix #1289: SSH host key generation warning at boot after factory reset
 - Fix broken intra-document links in container and tunnel documentation
 - Fix `show dhcp-server` command crashing with invalid timestamp format.
   DHCP lease expiry timestamps had double timezone suffix causing libyang
diff --git a/src/confd/src/keystore.c b/src/confd/src/keystore.c
@@ -59,12 +59,17 @@ static int gen_hostkey(const char *name, struct lyd_node *change)
 	private_key = lydx_get_cattr(change, "cleartext-private-key");
 	public_key = lydx_get_cattr(change, "public-key");
 
+	/* Validate keys before use */
+	if (!private_key || !public_key || !*private_key || !*public_key)
+		return SR_ERR_OK;
+
 	if (mkdir(SSH_HOSTKEYS_NEXT, 0600) && (errno != EEXIST)) {
 		ERRNO("Failed creating %s", SSH_HOSTKEYS_NEXT);
 		rc = SR_ERR_INTERNAL;
 	}
 
-	if (systemf("/usr/libexec/infix/mksshkey %s %s %s %s", name, SSH_HOSTKEYS_NEXT, public_key, private_key))
+	if (systemf("/usr/libexec/infix/mksshkey %s %s %s %s", name,
+		    SSH_HOSTKEYS_NEXT, public_key, private_key))
 		rc = SR_ERR_INTERNAL;
 
 	return rc;
@@ -156,7 +161,7 @@ static int keystore_update(sr_session_ctx_t *session, struct lyd_node *config, s
 }
 
 int keystore_change(sr_session_ctx_t *session, struct lyd_node *config, struct lyd_node *diff,
-			 sr_event_t event, struct confd *confd)
+		    sr_event_t event, struct confd *confd)
 {
 	struct lyd_node *changes, *change;
 	int rc = SR_ERR_OK;
