Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: harden ssh bootstrap script

Browse Source
This commit is contained in:
copilot-swe-agent[bot]
2026-06-24 22:15:24 +00:00
committed by GitHub
parent 181465c376
commit 439021f798
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/core/ssh-bootstrap.nix
+3 -1
View File
@@ -41,6 +41,8 @@ lib.mkIf userExists {
}; };
path = [ pkgs.openssh pkgs.coreutils ]; path = [ pkgs.openssh pkgs.coreutils ];
script = '' script = ''
set -eu
PASSPHRASE=$(cat /var/lib/secrets/ssh-passphrase) PASSPHRASE=$(cat /var/lib/secrets/ssh-passphrase)
generate_factory_key() { generate_factory_key() {
@@ -54,7 +56,7 @@ lib.mkIf userExists {
generate_factory_key generate_factory_key
elif ! ssh-keygen -y -P "$PASSPHRASE" -f "${keyPath}" >/dev/null 2>&1; then elif ! ssh-keygen -y -P "$PASSPHRASE" -f "${keyPath}" >/dev/null 2>&1; then
echo "Existing factory SSH key does not match current passphrase; backing it up and generating a replacement." echo "Existing factory SSH key does not match current passphrase; backing it up and generating a replacement."
backup_suffix=$(date -u +%Y%m%d%H%M%S) backup_suffix=$(date -u +%Y%m%d_%H%M%S)
backup_path="${keyPath}.bak-$backup_suffix" backup_path="${keyPath}.bak-$backup_suffix"
backup_index=0 backup_index=0