summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbrent s <bts@square-r00t.net>2020-03-13 02:34:49 -0400
committerbrent s <bts@square-r00t.net>2020-03-13 02:34:49 -0400
commit31eec2d3f343508176f9c8fdcdf00e97b3fd8c6b (patch)
treefd6b6fa5dfba1ab7111230052b290510e172c91c
parentfcc2cb674f80052e58948b63d9ea88bf9dcf44be (diff)
downloadOpTools-31eec2d3f343508176f9c8fdcdf00e97b3fd8c6b.tar.xz
fix for sshsecure on ssh versions 8.1+
-rw-r--r--aif/scripts/post/sshsecure.py33
1 files changed, 25 insertions, 8 deletions
diff --git a/aif/scripts/post/sshsecure.py b/aif/scripts/post/sshsecure.py
index aa0d10a..fb7e1fb 100644
--- a/aif/scripts/post/sshsecure.py
+++ b/aif/scripts/post/sshsecure.py
@@ -119,9 +119,14 @@ ssh_ver = float(re.sub('^(Open|Sun_)SSH_([0-9\.]+)(p[0-9]+)?,.*$', '\g<2>', ssh_
if ssh_ver >= magic_ver:
has_ed25519 = True
supported_keys = ('ed25519', 'rsa')
+ new_moduli = False
else:
has_ed25519 = False
supported_keys = ('rsa', )
+ new_moduli = False
+# https://github.com/openssh/openssh-portable/commit/3e60d18fba1b502c21d64fc7e81d80bcd08a2092
+if ssh_ver >= 8.1:
+ new_moduli = True
conf_options = {}
@@ -175,14 +180,26 @@ def hostKeys(buildmoduli):
subprocess.run(['haveged'], stdout = devnull)
#Warning: The moduli stuff takes a LONG time to run. Hours.
if buildmoduli:
- subprocess.run(['ssh-keygen',
- '-G', '/etc/ssh/moduli.all',
- '-b', '4096',
- '-q'])
- subprocess.run(['ssh-keygen',
- '-T', '/etc/ssh/moduli.safe',
- '-f', '/etc/ssh/moduli.all',
- '-q'])
+ if not new_moduli:
+ subprocess.run(['ssh-keygen',
+ '-G', '/etc/ssh/moduli.all',
+ '-b', '4096',
+ '-q'])
+ subprocess.run(['ssh-keygen',
+ '-T', '/etc/ssh/moduli.safe',
+ '-f', '/etc/ssh/moduli.all',
+ '-q'])
+ else:
+ subprocess.run(['ssh-keygen',
+ '-q',
+ '-M', 'generate',
+ '-O', 'bits=4096',
+ '/etc/ssh/moduli.all'])
+ subprocess.run(['ssh-keygen',
+ '-q',
+ '-M', 'screen',
+ '-f', '/etc/ssh/moduli.all',
+ '/etc/ssh/moduli.safe'])
if os.path.lexists('/etc/ssh/moduli'):
os.rename('/etc/ssh/moduli', '/etc/ssh/moduli.old')
os.rename('/etc/ssh/moduli.safe', '/etc/ssh/moduli')