diff --git a/xCAT-server/sbin/xcatconfig b/xCAT-server/sbin/xcatconfig index 04b4e6e2f2..4327ff09db 100755 --- a/xCAT-server/sbin/xcatconfig +++ b/xCAT-server/sbin/xcatconfig @@ -969,6 +969,10 @@ sub genSSHNodeHostKey # # generate new hostkeys # + + my ($rlogin,$rpass,$ruid,$rgid) = getpwnam("root"); + my ($sname, $spasswd,$sgid,$smembers)=getgrnam("ssh_keys"); + my @sshkeylist; xCAT::MsgUtils->message('I', "Generating new node hostkeys..."); xCAT::MsgUtils->message('I', "Generating SSH2 RSA Key..."); my $cmd = @@ -978,6 +982,10 @@ sub genSSHNodeHostKey { xCAT::MsgUtils->message('E', "Could not generate SSH2 RSA key."); } + else{ + push @sshkeylist,"/etc/xcat/hostkeys/ssh_host_rsa_key"; + } + xCAT::MsgUtils->message('I', "Generating SSH2 DSA Key..."); $cmd = @@ -987,6 +995,9 @@ sub genSSHNodeHostKey { xCAT::MsgUtils->message('E', "Could not generate SSH2 DSA key."); } + else{ + push @sshkeylist,"/etc/xcat/hostkeys/ssh_host_dsa_key"; + } # see if this system supports the ecdsa xCAT::Utils->runcmd('rm -rf /tmp/ecdsa_key >/dev/null 2>&1 ; /usr/bin/ssh-keygen -t ecdsa -f /tmp/ecdsa_key -P "" &>/dev/null', 0); @@ -999,8 +1010,17 @@ sub genSSHNodeHostKey { xCAT::MsgUtils->message('E', "Could not generate SSH2 ECDSA key."); } + else{ + push @sshkeylist,"/etc/xcat/hostkeys/ssh_host_ecdsa_key"; + } } + if(@sshkeylist){ + if(defined $ruid && defined $sgid){ + chown $ruid,$sgid,@sshkeylist; + } + chmod 0640,@sshkeylist; + } # copy the public keys to install directory $cmd = diff --git a/xCAT/postscripts/remoteshell b/xCAT/postscripts/remoteshell index 690ff2e97a..a937224572 100755 --- a/xCAT/postscripts/remoteshell +++ b/xCAT/postscripts/remoteshell @@ -149,7 +149,8 @@ if [ $? -ne 0 ]; then getcredentials.awk ssh_dsa_hostkey | grep -v '<'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /etc/ssh/ssh_host_dsa_key MYCONT=`cat /etc/ssh/ssh_host_dsa_key` done - chmod 600 /etc/ssh/ssh_host_dsa_key + chown root:ssh_keys /etc/ssh/ssh_host_dsa_key + chmod 640 /etc/ssh/ssh_host_dsa_key if ! grep "PRIVATE KEY" /etc/ssh/ssh_host_dsa_key > /dev/null 2>&1 ; then rm /etc/ssh/ssh_host_dsa_key else @@ -215,13 +216,14 @@ if [ $? -ne 0 ]; then getcredentials.awk ssh_rsa_hostkey | grep -v '<'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /etc/ssh/ssh_host_rsa_key MYCONT=`cat /etc/ssh/ssh_host_rsa_key` done - chmod 600 /etc/ssh/ssh_host_rsa_key + chown root:ssh_keys /etc/ssh/ssh_host_rsa_key + chmod 640 /etc/ssh/ssh_host_rsa_key if ! grep "PRIVATE KEY" /etc/ssh/ssh_host_rsa_key > /dev/null 2>&1 ; then rm /etc/ssh/ssh_host_rsa_key else ssh-keygen -y -f /etc/ssh/ssh_host_rsa_key > /etc/ssh/ssh_host_rsa_key.pub - chmod 644 /etc/ssh/ssh_host_rsa_key.pub - chown root /etc/ssh/ssh_host_rsa_key.pub + chmod 644 /etc/ssh/ssh_host_rsa_key.pub + chown root /etc/ssh/ssh_host_rsa_key.pub fi else #This is an error message @@ -286,7 +288,8 @@ if ssh-keygen -t ecdsa -f /tmp/ecdsa_key -P "" &>/dev/null ; then getcredentials.awk ssh_ecdsa_hostkey | grep -v '<'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /etc/ssh/ssh_host_ecdsa_key MYCONT=`cat /etc/ssh/ssh_host_ecdsa_key` done - chmod 600 /etc/ssh/ssh_host_ecdsa_key + chown root:ssh_keys /etc/ssh/ssh_host_ecdsa_key + chmod 640 /etc/ssh/ssh_host_ecdsa_key if ! grep "PRIVATE KEY" /etc/ssh/ssh_host_ecdsa_key > /dev/null 2>&1 ; then rm /etc/ssh/ssh_host_ecdsa_key else