From f95d9f00dea78a6dc606b7d29946cdbdb54bf499 Mon Sep 17 00:00:00 2001 From: florian <> Date: Sat, 10 Feb 2018 05:56:47 +0000 Subject: [PATCH] Load RFC 7217 key material and generate if it does not already exist. Add soii.key to changelist (pointed out by semarie) and mtree/special (suggest by Craig Skinner). OK naddy, sthen, rpe, tb --- src/etc/changelist | 3 ++- src/etc/mtree/special | 3 ++- src/etc/netstart | 5 ++++- src/etc/rc | 8 +++++++- 4 files changed, 15 insertions(+), 4 deletions(-) diff --git a/src/etc/changelist b/src/etc/changelist index 7c73d895..dd34303c 100644 --- a/src/etc/changelist +++ b/src/etc/changelist @@ -1,4 +1,4 @@ -# $OpenBSD: changelist,v 1.118 2018/01/19 00:19:58 gsoares Exp $ +# $OpenBSD: changelist,v 1.119 2018/02/10 05:56:47 florian Exp $ # # List of files which the security script backs up and checks # for modifications. @@ -115,6 +115,7 @@ /etc/services /etc/shells +/etc/snmpd.conf ++/etc/soii.key +/etc/spwd.db /etc/ssh/ssh_config +/etc/ssh/ssh_host_dsa_key diff --git a/src/etc/mtree/special b/src/etc/mtree/special index a2eec3e4..c7712b02 100644 --- a/src/etc/mtree/special +++ b/src/etc/mtree/special @@ -1,4 +1,4 @@ -# $OpenBSD: special,v 1.124 2017/05/03 11:55:36 gsoares Exp $ +# $OpenBSD: special,v 1.125 2018/02/10 05:56:47 florian Exp $ # # Hand-crafted mtree specification for the dangerous files. # @@ -94,6 +94,7 @@ shells type=file mode=0644 uname=root gname=wheel skey type=dir mode=01730 uname=root gname=auth optional .. #skey snmpd.conf type=file mode=0600 uname=root gname=wheel optional +soii.key type=file mode=0600 uname=root gname=wheel optional spwd.db type=file mode=0640 uname=root gname=_shadow ssh type=dir mode=0755 uname=root gname=wheel optional ssh_config type=file mode=0644 uname=root gname=wheel diff --git a/src/etc/netstart b/src/etc/netstart index 09c7dcb2..820c1607 100644 --- a/src/etc/netstart +++ b/src/etc/netstart @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: netstart,v 1.188 2018/02/06 19:53:50 tb Exp $ +# $OpenBSD: netstart,v 1.189 2018/02/10 05:56:47 florian Exp $ # Turn off Strict Bourne shell mode. set +o sh @@ -194,6 +194,9 @@ if $PRINT_ONLY && (($# == 0)); then exit 1 fi +$PRINT_ONLY || [[ ! -f /etc/soii.key ]] || + sysctl -q "net.inet6.ip6.soiikey=$( 0)); then diff --git a/src/etc/rc b/src/etc/rc index c88e13ce..2fa6093a 100644 --- a/src/etc/rc +++ b/src/etc/rc @@ -1,4 +1,4 @@ -# $OpenBSD: rc,v 1.523 2017/11/09 11:02:10 tb Exp $ +# $OpenBSD: rc,v 1.524 2018/02/10 05:56:47 florian Exp $ # System startup script run by init on autoboot or after single-user. # Output and error are redirected to console by init, and the console is the @@ -158,6 +158,12 @@ make_keys() { fi ssh-keygen -A + + if [[ ! -f /etc/soii.key ]]; then + openssl rand -hex 16 > /etc/soii.key && \ + chmod 600 /etc/soii.key && sysctl -q \ + "net.inet6.ip6.soiikey=$(