confd: fix SSH host key generation warnings

troglobit · troglobit · commit f51c7d9dc33a · 2025-12-01T10:46:57.000+01:00
Fix several issues in SSH host key generation and import that caused warnings in system logs: 1. mkkeys: Switch from openssl genpkey (PKCS#8) to genrsa (PKCS#1) to match the expected format in mksshkey 2. mksshkey: Fix PEM file reconstruction by properly formatting base64 content with 64-character line wrapping using printf+fold. The previous approach concatenated the END marker to the last base64 line, causing "unrecognised raw private key format" errors 3. mksshkey: Correct ssh-keygen format flag from PKCS8 to PEM for public key conversion 4. confd:keystore.c: Skip gen_hostkey() when keys are empty to prevent attempting to import invalid PEM files during SR_EV_UPDATE events before keys are populated in the config tree 5. mksshkey: Convert from bash to POSIX sh (no bashisms were used) This eliminates the "do_convert_from_pem: unrecognised raw private key format" error messages during system boot and SSH key configuration. Fixes #1289 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
diff --git a/board/common/rootfs/usr/libexec/infix/mkkeys b/board/common/rootfs/usr/libexec/infix/mkkeys
@@ -8,7 +8,7 @@ PUB=$2
 
 mkdir -p "$(dirname "$KEY")" "$(dirname "$PUB")"
 
-openssl genpkey -quiet -algorithm RSA -pkeyopt rsa_keygen_bits:$BIT -outform PEM > "$KEY"
-openssl rsa -RSAPublicKey_out < "$KEY" > "$PUB"
+openssl genrsa -traditional $BIT 2>/dev/null > "$KEY"
+openssl rsa -RSAPublicKey_out < "$KEY" 2>/dev/null > "$PUB"
 
 exit 0
diff --git a/board/common/rootfs/usr/libexec/infix/mksshkey b/board/common/rootfs/usr/libexec/infix/mksshkey
@@ -1,24 +1,28 @@
-#!/bin/bash
-# Store and convert RSA PUBLIC/PRIVATE KEYs to be able to use them in
-# OpenSSHd.
+#!/bin/sh
 set -e
+umask 0077
 
 NAME="$1"
 DIR="$2"
 PUBLIC="$3"
 PRIVATE="$4"
 TMP="$(mktemp)"
 
-echo -e '-----BEGIN RSA PRIVATE KEY-----' > "$DIR/$NAME"
-echo "$PRIVATE" >> "$DIR/$NAME"
-echo -e '-----END RSA PRIVATE KEY-----' >> "$DIR/$NAME"
+{
+	echo '-----BEGIN RSA PRIVATE KEY-----'
+	printf '%s\n' "$PRIVATE" | fold -w 64
+	echo '-----END RSA PRIVATE KEY-----'
+} > "$DIR/$NAME"
 
-echo -e "-----BEGIN RSA PUBLIC KEY-----" > "$TMP"
-echo -e "$PUBLIC" >> "$TMP"
-echo -e "-----END RSA PUBLIC KEY-----" >> "$TMP"
+{
+	echo "-----BEGIN RSA PUBLIC KEY-----"
+	printf '%s\n' "$PUBLIC" | fold -w 64
+	echo "-----END RSA PUBLIC KEY-----"
+} > "$TMP"
 
-ssh-keygen -i -m PKCS8 -f "$TMP" > "$DIR/$NAME.pub"
+ssh-keygen -i -f "$TMP" -m PEM > "$DIR/$NAME.pub"
 rm "$TMP"
+
 chmod 0600 "$DIR/$NAME.pub"
 chmod 0600 "$DIR/$NAME"
 chown sshd:sshd "$DIR/$NAME.pub"
diff --git a/doc/ChangeLog.md b/doc/ChangeLog.md
@@ -71,6 +71,7 @@ All notable changes to the project are documented in this file.
 
 ### Fixes
 
+- Fix #1289: SSH host key generation warning at boot after factory reset
 - Fix #855: User admin sometimes fails to be added to `wheel` group
 - Fix #1112: setting hostname via DHCP client sometimes gets overridden by the
   configured system hostname
diff --git a/src/confd/src/keystore.c b/src/confd/src/keystore.c
@@ -64,7 +64,8 @@ static int gen_hostkey(const char *name, struct lyd_node *change)
 		rc = SR_ERR_INTERNAL;
 	}
 
-	if (systemf("/usr/libexec/infix/mksshkey %s %s %s %s", name, SSH_HOSTKEYS_NEXT, public_key, private_key))
+	if (systemf("/usr/libexec/infix/mksshkey %s %s %s %s", name,
+		    SSH_HOSTKEYS_NEXT, public_key, private_key))
 		rc = SR_ERR_INTERNAL;
 
 	return rc;
@@ -156,7 +157,7 @@ static int keystore_update(sr_session_ctx_t *session, struct lyd_node *config, s
 }
 
 int keystore_change(sr_session_ctx_t *session, struct lyd_node *config, struct lyd_node *diff,
-			 sr_event_t event, struct confd *confd)
+		    sr_event_t event, struct confd *confd)
 {
 	struct lyd_node *changes, *change;
 	int rc = SR_ERR_OK;
@@ -189,6 +190,7 @@ int keystore_change(sr_session_ctx_t *session, struct lyd_node *config, struct l
 	changes = lydx_get_descendant(config, "keystore", "asymmetric-keys", "asymmetric-key", NULL);
 	LYX_LIST_FOR_EACH(changes, change, "asymmetric-key") {
 		const char *name = lydx_get_cattr(change, "name");
+		const char *private_key, *public_key;
 		const char *type;
 
 		type = lydx_get_cattr(change, "private-key-format");
@@ -203,6 +205,12 @@ int keystore_change(sr_session_ctx_t *session, struct lyd_node *config, struct l
 			continue;
 		}
 
+		/* Only generate hostkey if both keys exist */
+		private_key = lydx_get_cattr(change, "cleartext-private-key");
+		public_key = lydx_get_cattr(change, "public-key");
+		if (!private_key || !public_key || !*private_key || !*public_key)
+			continue;
+
 		gen_hostkey(name, change);
 	}
 
