AF:
NF:0
PS:10
SRH:1
SFN:
DSR:
MID:<20090727160035.3ea443d1@ripper.onstor.net>
CFG:
PT:0
S:andy.sharp@onstor.com
RQ:
SSV:mail.onstor.net
NSV:
SSH:
R:<larry.scheer@onstor.com>
MAID:1
X-Sylpheed-Privacy-System:
X-Sylpheed-Sign:0
SCF:#mh/Mailbox/sent
RMID:#imap/andys@onstor.net@exch1.onstor.net/INBOX	0	102AB4F33EBBDB4C91915B145C8E9FB3137CE45348@exch1.onstor.net
X-Sylpheed-End-Special-Headers: 1
Date: Mon, 27 Jul 2009 16:01:25 -0700
From: Andrew Sharp <andy.sharp@onstor.com>
To: Larry Scheer <larry.scheer@onstor.com>
Subject: Re: Please review change 32924 ssh hostkey fix for new version of
 ssh
Message-ID: <20090727160125.2b47b04d@ripper.onstor.net>
In-Reply-To: <102AB4F33EBBDB4C91915B145C8E9FB3137CE45348@exch1.onstor.net>
References: <20090727105435.73c864dd@ripper.onstor.net>
	<102AB4F33EBBDB4C91915B145C8E9FB3137CE45348@exch1.onstor.net>
Organization: Onstor
X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Mon, 27 Jul 2009 15:55:54 -0700 Larry Scheer
<larry.scheer@onstor.com> wrote:

> Changes have been made. I tried piping to the record function but
> that doesn't work so I am just teeing the output of the ssh-keygen
> command to the message. 
> 
> How do I get a bash function to work with input that is piped to it?

Think of bash functions as programs.  It has to take its input from
stdin.  The basic idea is that it checks for an argument, if there
isn't one, then it tees stdin to wherever it wants it to go.  I'm sure
there's an example in one of the many shell scripts I've worked on at
onstor^Wlsi.  Probably in cw-install maybe if I'm lucky.

> -----Original Message-----
> From: Andy Sharp 
> Sent: Monday, July 27, 2009 10:55 AM
> To: Larry Scheer
> Subject: Re: Please review change 32924 ssh hostkey fix for new
> version of ssh
> 
> On Fri, 24 Jul 2009 17:07:24 -0700 Larry Scheer
> <larry.scheer@onstor.com> wrote:
> 
> > Andy,
> >    Please check this change not only for correctness but also verify
> > that my logic is sound.
> > 
> > What I am doing is touching a file in /etc/default after the ssh key
> > check (and fix) is done.
> > 
> > I check for ssh-vulnkey (if it is not there then openssh
> > 4.3p2-9etch3 is not installed and I check if the file I touch is
> > not there. If both conditions are met I check the host keys for
> > vulnerability and regenerate them if needed. After the check I
> > touch the file in /etc/default so this check is only run once.
> > 
> > Let me know what you think,
> > 
> > Thanks,
> > 
> > Larry
> > 
> > 
> > Change 32924 by larrys@larrys on 2009/07/21 12:26:42 *pending*
> > 
> >         Add check for broken ssh host keys in /etc/ssh and replace
> > keys if needed. This fix is needed when upgrading to openssh server
> > version 4.3p2-9etch3.
> >         Reviewed by: AndyS
> > 
> > Affected files ...
> > 
> > ... //depot/dev/linux/rootfs/etc/init.d/ssh#1 edit
> 
> The idea seems sound to me.  Here's my comments:
> 
> linux/rootfs/etc/init.d/ssh
> 
>      line 47 i would adjust the logic flow just a bit in this
> function, something like
> 
>      if [ -f /etc/default/.hostkeychek ] ; then
>          return;
>      fi
>      if [ -x ssh-vulnkey ] ; then
>          ...
>      fi
> 
>      That would make it return faster once it's been upgraded already.
> 
>      line 61, you don't want to use your nifty "record" function? ~:^)
> 
>      line 54/56 i would add some indenting here to help readability
> 
>      Also, you might consider making .hostkeycheck readonly so it's
>      harder to delete and like that.
> 
> 
