AF:
NF:0
PS:10
SRH:1
SFN:
DSR:
MID:<20090727105412.474eb82e@ripper.onstor.net>
CFG:
PT:0
S:andy.sharp@onstor.com
RQ:
SSV:mail.onstor.net
NSV:
SSH:
R:<larry.scheer@onstor.com>
MAID:1
X-Sylpheed-Privacy-System:
X-Sylpheed-Sign:0
SCF:#mh/Mailbox/sent
RMID:#imap/andys@onstor.net@exch1.onstor.net/INBOX	0	102AB4F33EBBDB4C91915B145C8E9FB3137CE45344@exch1.onstor.net
X-Sylpheed-End-Special-Headers: 1
Date: Mon, 27 Jul 2009 10:54:35 -0700
From: Andrew Sharp <andy.sharp@onstor.com>
To: Larry Scheer <larry.scheer@onstor.com>
Subject: Re: Please review change 32924 ssh hostkey fix for new version of
 ssh
Message-ID: <20090727105435.73c864dd@ripper.onstor.net>
In-Reply-To: <102AB4F33EBBDB4C91915B145C8E9FB3137CE45344@exch1.onstor.net>
References: <102AB4F33EBBDB4C91915B145C8E9FB3137CE45344@exch1.onstor.net>
Organization: Onstor
X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Fri, 24 Jul 2009 17:07:24 -0700 Larry Scheer
<larry.scheer@onstor.com> wrote:

> Andy,
>    Please check this change not only for correctness but also verify
> that my logic is sound.
> 
> What I am doing is touching a file in /etc/default after the ssh key
> check (and fix) is done.
> 
> I check for ssh-vulnkey (if it is not there then openssh 4.3p2-9etch3
> is not installed and I check if the file I touch is not there. If
> both conditions are met I check the host keys for vulnerability and
> regenerate them if needed. After the check I touch the file
> in /etc/default so this check is only run once.
> 
> Let me know what you think,
> 
> Thanks,
> 
> Larry
> 
> 
> Change 32924 by larrys@larrys on 2009/07/21 12:26:42 *pending*
> 
>         Add check for broken ssh host keys in /etc/ssh and replace
> keys if needed. This fix is needed when upgrading to openssh server
> version 4.3p2-9etch3.
>         Reviewed by: AndyS
> 
> Affected files ...
> 
> ... //depot/dev/linux/rootfs/etc/init.d/ssh#1 edit

The idea seems sound to me.  Here's my comments:

linux/rootfs/etc/init.d/ssh

     line 47 i would adjust the logic flow just a bit in this function,
     something like

     if [ -f /etc/default/.hostkeychek ] ; then
         return;
     fi
     if [ -x ssh-vulnkey ] ; then
         ...
     fi

     That would make it return faster once it's been upgraded already.

     line 61, you don't want to use your nifty "record" function? ~:^)

     line 54/56 i would add some indenting here to help readability

     Also, you might consider making .hostkeycheck readonly so it's
     harder to delete and like that.


