diff --git a/xCAT/postscripts/remoteshell b/xCAT/postscripts/remoteshell index 986c9344b..a5250d542 100755 --- a/xCAT/postscripts/remoteshell +++ b/xCAT/postscripts/remoteshell @@ -313,6 +313,86 @@ if ssh-keygen -t ecdsa -f /tmp/ecdsa_key -P "" &>/dev/null ; then rm /tmp/ssh_ecdsa_hostkey fi +# if node supports ed25519 host key then download the replacement from the MN/SN +# remove the /tmp/ed25519_key first, otherwise the "ssh-keygen" below might hang +# at waiting for user confirmation to overwritten the existing file +rm -rf /tmp/ed25519_key >/dev/null 2>&1 +if ssh-keygen -t ed25519 -f /tmp/ed25519_key -P "" &>/dev/null ; then + # download the host ed25519 key + if [ $useflowcontrol = "1" ]; then + #first contact daemon xcatflowrequest 3001 + logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001" + /$xcatpost/xcatflowrequest $master 3001 + rc=$? + logger -t $log_label -p local4.info "remoteshell:xcatflowrequest return=$rc" + if [ $rc -ne 0 ]; then + logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control" + useflowcontrol=0 + fi + fi + + getcredentials.awk ssh_ed25519_hostkey | grep -E -v '|' | sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /tmp/ssh_ed25519_hostkey + + #check whether the message is an error or not + grep -E '' /tmp/ssh_ed25519_hostkey > /dev/null 2>&1 + if [ $? -ne 0 ]; then + #the message received is the data we request + cat /tmp/ssh_ed25519_hostkey | grep -E -v '|/{0,1}data>||' >/etc/ssh/ssh_host_ed25519_key + logger -t $log_label -p local4.info ssh_ed25519_hostkey + MYCONT=`cat /etc/ssh/ssh_host_ed25519_key` + MAX_RETRIES=10 + RETRY=0 + while [ -z "$MYCONT" ]; do + # not using flow control , need to sleep + if [ $useflowcontrol = "0" ]; then + let SLI=$RANDOM%10 + let SLI=SLI+10 + sleep $SLI + fi + RETRY=$(($RETRY+1)) + if [ $RETRY -eq $MAX_RETRIES ] + then + break + fi + if [ $useflowcontrol = "1" ]; then + #first contact daemon xcatflowrequest 3001 + logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001" + /$xcatpost/xcatflowrequest $master 3001 + rc=$? + logger -t $log_label -p local4.info "remoteshell:xcatflowrequest return=$rc" + if [ $rc -ne 0 ]; then + logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control" + useflowcontrol=0 + fi + fi + + getcredentials.awk ssh_ed25519_hostkey | grep -v '<'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /etc/ssh/ssh_host_ed25519_key + MYCONT=`cat /etc/ssh/ssh_host_ed25519_key` + done + egrep -i "^ssh_keys:" /etc/group >/dev/null 2>&1 && chown root:ssh_keys /etc/ssh/ssh_host_ed25519_key 2>/dev/null && chmod 640 /etc/ssh/ssh_host_ed25519_key + if ! grep "PRIVATE KEY" /etc/ssh/ssh_host_ed25519_key > /dev/null 2>&1 ; then + rm /etc/ssh/ssh_host_ed25519_key + else + # Because of openssh version differs, provisioning errors may happen when MN support ed25519 while CN don't ed25519. + # Judge CN support ed25519 or not. "-t ed25519" indicate the key type, "-P "" " avoid hang-on and wait for input passphrase when CN don't support ed25519. + # If ture, means support ed25519, then generate corresponding key.pub. + # If false, remove ssh_host_ed25519_key useless file, to avoid future errors. + if ssh-keygen -t ed25519 -y -f /etc/ssh/ssh_host_ed25519_key -P "" &>/dev/null ; then + ssh-keygen -y -f /etc/ssh/ssh_host_ed25519_key -P "" > /etc/ssh/ssh_host_ed25519_key.pub + chmod 644 /etc/ssh/ssh_host_ed25519_key.pub + chown root /etc/ssh/ssh_host_ed25519_key.pub + else + rm -fr /etc/ssh/ssh_host_ed25519_key + fi + fi + else + #This is an error message + ERR_MSG=`sed -n 's%.*\(.*\).*%\1%p' /tmp/ssh_ed25519_hostkey` + logger -s -t $log_label -p local4.err Error: $ERR_MSG + fi + rm /tmp/ssh_ed25519_hostkey +fi + if [[ $NTYPE = service ]]; then mkdir -p /etc/xcat/hostkeys cp /etc/ssh/ssh* /etc/xcat/hostkeys/.