From bdcef9d358afac048b71037cae5dc6916879e6ef Mon Sep 17 00:00:00 2001
From: Gerd Behrmann <behrmann@gmail.com>
Date: Wed, 15 Jun 2016 12:10:37 +0200
Subject: [PATCH] admin: Fix compatibility with OpenSSH 7

Motivation:

DSA keys are disabled by default in OpenSSH 7.

Modification:

Add RSA keys in the install scripts.

Fixes a bug in the admin door in which it erroneously included the public key
as a private key. The public key file is not used by the door as the public key
is embedded in the file with they private key.

Generalizes the admin door to accept a list of private keys. Thus existing DSA
keys will continue to work.

Result:

Switched admin to generate both DSA and RSA keys to make it compatible with
OpenSSH 7 clients. Introduced admin.paths.host-keys.

Target: trunk
Request: 2.16
Request: 2.15
Request: 2.14
Request: 2.13
Require-notes: yes
Require-book: yes
Acked-by: Paul Millar <paul.millar@desy.de>

Reviewed at https://rb.dcache.org/r/9416/

(cherry picked from commit 92fbe53f16b302c91c88d2da22301d868eabfa44)
---
 .../org/dcache/services/ssh2/Ssh2Admin.java   | 56 +++++++------------
 .../org/dcache/services/ssh2/ssh2Admin.xml    | 15 ++++-
 packages/fhs/src/main/deb/postinst            |  5 ++
 packages/fhs/src/main/rpm/dcache-server.spec  |  5 ++
 .../src/main/skel/etc/admin/ssh_host_rsa_key  | 27 +++++++++
 .../main/skel/etc/admin/ssh_host_rsa_key.pub  |  1 +
 skel/share/defaults/admin.properties          |  3 +-
 skel/share/services/admin.batch               | 14 +----
 8 files changed, 74 insertions(+), 52 deletions(-)
 create mode 100644 packages/system-test/src/main/skel/etc/admin/ssh_host_rsa_key
 create mode 100644 packages/system-test/src/main/skel/etc/admin/ssh_host_rsa_key.pub

diff --git a/modules/dcache/src/main/java/org/dcache/services/ssh2/Ssh2Admin.java b/modules/dcache/src/main/java/org/dcache/services/ssh2/Ssh2Admin.java
index 32f50098d91..2931141f581 100644
--- a/modules/dcache/src/main/java/org/dcache/services/ssh2/Ssh2Admin.java
+++ b/modules/dcache/src/main/java/org/dcache/services/ssh2/Ssh2Admin.java
@@ -1,8 +1,5 @@
 package org.dcache.services.ssh2;
 
-import dmg.cells.nucleus.CellCommandListener;
-import dmg.cells.nucleus.CellLifeCycleAware;
-
 import org.apache.sshd.SshServer;
 import org.apache.sshd.common.Factory;
 import org.apache.sshd.common.NamedFactory;
@@ -29,16 +26,22 @@
 import java.util.Arrays;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
+import java.util.stream.Stream;
 
 import diskCacheV111.util.AuthorizedKeyParser;
 import diskCacheV111.util.CacheException;
 import diskCacheV111.util.PermissionDeniedCacheException;
 
-import org.dcache.auth.*;
-
-import java.util.stream.Stream;
+import dmg.cells.nucleus.CellCommandListener;
+import dmg.cells.nucleus.CellLifeCycleAware;
 
-import static org.dcache.util.Files.checkFile;
+import org.dcache.auth.LoginReply;
+import org.dcache.auth.LoginStrategy;
+import org.dcache.auth.Origin;
+import org.dcache.auth.PasswordCredential;
+import org.dcache.auth.Subjects;
+import org.dcache.auth.UnionLoginStrategy;
+import org.dcache.util.Files;
 
 /**
  * This class starts the ssh server. It is however not started in the
@@ -53,8 +56,7 @@ public class Ssh2Admin implements CellCommandListener, CellLifeCycleAware
     private static final Logger _log = LoggerFactory.getLogger(Ssh2Admin.class);
     private final SshServer _server;
     // UniversalSpringCell injected parameters
-    private String _hostKeyPrivate;
-    private String _hostKeyPublic;
+    private String[] _hostKeys;
     private File _authorizedKeyList;
     private String _host;
     private int _port;
@@ -100,22 +102,8 @@ public int getAdminGroupId() {
         return _adminGroupId;
     }
 
-    public String getHostKeyPrivate() {
-        return _hostKeyPrivate;
-    }
-
-    public void setHostKeyPrivate(String hostKeyPrivate) {
-        _hostKeyPrivate = hostKeyPrivate;
-        _log.debug("hostKeyPrivate set to: {}", _hostKeyPrivate);
-    }
-
-    public String getHostKeyPublic() {
-        return _hostKeyPublic;
-    }
-
-    public void setHostKeyPublic(String hostKeyPublic) {
-        _hostKeyPublic = hostKeyPublic;
-        _log.debug("hostKeyPublic set to: {}", _hostKeyPublic);
+    public void setHostKeys(String[] keys) {
+        _hostKeys = keys;
     }
 
     public File getAuthorizedKeyList() {
@@ -208,18 +196,14 @@ public void beforeStop() {
 
     private void configureKeyFiles() {
         try {
-            checkFile(_hostKeyPrivate);
-            checkFile(_hostKeyPublic);
-        } catch (IOException ex) {
-            throw new RuntimeException("Problem with server ssh host keys, " + ex.getMessage());
+            for (String key : _hostKeys) {
+                Files.checkFile(key);
+            }
+            FileKeyPairProvider fKeyPairProvider = new FileKeyPairProvider(_hostKeys);
+            _server.setKeyPairProvider(fKeyPairProvider);
+        } catch (IOException e) {
+            throw new RuntimeException(e.getMessage(), e);
         }
-
-        String[] keyFiles = {_hostKeyPrivate, _hostKeyPublic};
-        FileKeyPairProvider fKeyPairProvider = new FileKeyPairProvider(
-                keyFiles);
-
-        _server.setKeyPairProvider(fKeyPairProvider);
-
     }
 
     private void startServer() {
diff --git a/modules/dcache/src/main/resources/org/dcache/services/ssh2/ssh2Admin.xml b/modules/dcache/src/main/resources/org/dcache/services/ssh2/ssh2Admin.xml
index 22b28565a03..74b6552bce7 100644
--- a/modules/dcache/src/main/resources/org/dcache/services/ssh2/ssh2Admin.xml
+++ b/modules/dcache/src/main/resources/org/dcache/services/ssh2/ssh2Admin.xml
@@ -10,6 +10,18 @@
     <context:annotation-config/>
     <context:property-placeholder/>
 
+    <!-- Convert properties with multiple values separated by comma into an array of strings:
+     key=value1,value2,value3 : String[] {value1, value2, value3}
+     -->
+    <bean class="org.springframework.beans.factory.config.CustomEditorConfigurer">
+        <property name="customEditors">
+            <map>
+                <entry key="java.lang.String[]"
+                       value="org.springframework.beans.propertyeditors.StringArrayPropertyEditor"/>
+            </map>
+        </property>
+    </bean>
+
     <bean id="noroutetocell" class="org.dcache.cells.LogNoRouteToCellExceptionReceiver">
         <description>Undeliverable message logger</description>
         <property name="excludedDestinations" value="${admin.loginbroker.request-topic}"/>
@@ -98,8 +110,7 @@
     <bean id="ssh2Server" class="org.dcache.services.ssh2.Ssh2Admin">
         <property name="host" value="#{ T(com.google.common.base.Strings).emptyToNull('${admin.net.listen}') }"/>
         <property name="port"               value="${admin.net.port}"/>
-        <property name="hostKeyPrivate"     value="${admin.paths.dsa-host-key.private}"/>
-        <property name="hostKeyPublic"      value="${admin.paths.dsa-host-key.public}"/>
+        <property name="hostKeys"           value="${admin.paths.host-keys}"/>
         <property name="authorizedKeyList"  value="${admin.paths.authorized-keys}"/>
         <property name="loginStrategy"      ref="login-strategy"/>
         <property name="adminGroupId"       value="${admin.authz.gid}"/>
diff --git a/packages/fhs/src/main/deb/postinst b/packages/fhs/src/main/deb/postinst
index e4ef4dd544e..17652405fd9 100755
--- a/packages/fhs/src/main/deb/postinst
+++ b/packages/fhs/src/main/deb/postinst
@@ -42,6 +42,11 @@ Please fix this and reinstall this package." >&2
         chmod 640 /etc/dcache/admin/ssh_host_dsa_key
         chgrp dcache /etc/dcache/admin/ssh_host_dsa_key
     fi
+    if [ ! -f /etc/dcache/admin/ssh_host_rsa_key ]; then
+        ssh-keygen -q -t rsa -f /etc/dcache/admin/ssh_host_rsa_key -N ""
+        chmod 640 /etc/dcache/admin/ssh_host_rsa_key
+        chgrp dcache /etc/dcache/admin/ssh_host_rsa_key
+    fi
 fi
 
 #DEBHELPER#
diff --git a/packages/fhs/src/main/rpm/dcache-server.spec b/packages/fhs/src/main/rpm/dcache-server.spec
index efd2037ef63..a4338d8b519 100644
--- a/packages/fhs/src/main/rpm/dcache-server.spec
+++ b/packages/fhs/src/main/rpm/dcache-server.spec
@@ -68,6 +68,11 @@ if [ ! -f /etc/dcache/admin/ssh_host_dsa_key ]; then
     chmod 640 /etc/dcache/admin/ssh_host_dsa_key
     chgrp dcache /etc/dcache/admin/ssh_host_dsa_key
 fi
+if [ ! -f /etc/dcache/admin/ssh_host_rsa_key ]; then
+    ssh-keygen -q -t rsa -f /etc/dcache/admin/ssh_host_rsa_key -N ""
+    chmod 640 /etc/dcache/admin/ssh_host_rsa_key
+    chgrp dcache /etc/dcache/admin/ssh_host_rsa_key
+fi
 
 # fix file /var/lib/dcache directory ownership
 chown dcache:dcache /var/lib/dcache
diff --git a/packages/system-test/src/main/skel/etc/admin/ssh_host_rsa_key b/packages/system-test/src/main/skel/etc/admin/ssh_host_rsa_key
new file mode 100644
index 00000000000..97737b49543
--- /dev/null
+++ b/packages/system-test/src/main/skel/etc/admin/ssh_host_rsa_key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEoAIBAAKCAQEAspj9O1KvIrXzSqClOdWyXOxX4WBFUacVNq20Cb/OjJFTjYf9
+4ayMt97ckQbT83nteL5D9si7qFLSw+smeJd3TaJmuPuSMgrlDm9SVr1s1u8qM+oz
+beuOCP7n+pcfDzDhAQRdwBqEl6P/DVf/DE5iAy4ldW4B+KJ+aqubTz3eCYX1WZiC
+n6h3b9VY4BSBPdxvnVGzVte9je1ZjcI8F6UA9Bac+AuY96S6HgbhJbEBTH4sLzqC
+bs7oMjNYrhA2mFDpIMHwW9wKLYOp20gDOE3jZ78nspXfSbwBxCuaNvyWtnYgtT4s
+XbCB0lJuVtaJucZZVjlOmMfGwrttYuWsrdOwMQIDAQABAoH/IuG+k9eSXTUsT2cQ
+3jrem0eN4nbrEwePHR7QCxdrQAkiSIJHE8yfr0nXynuK6gLmXq7Kl2idPkLu51UG
+LodmxcLyTS7VXvDBzA/yBP76QwBzPbCAWvemxhsDM+5QIqdpSsmPhfWn7/YX2oNV
+TRICEpzws/7IY8dY6Xya2N88fp9XnKcHvumdu22x5OUn4hhBNC5Wgy3/OioXwa9c
+NbBl+8BgwbBMl8OKcqw1t65l/9tO5NsYwcqPIauq08y8/qHAkNBsWsF6byNI7FSM
+BuyI68UyDF7Y+O/VTBZ0eD50hl7IGDpk7k+kif9wbAYXXwBXjgTD0a65SOTB6QYW
+xbLhAoGBAON9KdefwO4xkZ0oLpsjpYqUprlybdh7D0TWclXGthdIE8Wuyv0B3c+j
+o2AF4l3jpIf2n1WU4xKYR0QGnGLkWXwFMQRFBgsTScpQhBkq7KghzJ9cl2z9xf27
+fcKMkMzaQi0p+tMRaS92XpZMiOOZvpjO9lr/K/qVMm60nRL5wHj9AoGBAMj7LfCk
+CYXxPG1EPK7q2gdYW2b7XQvzUjPXK3Y3FMJjkFnOCADrNt8nYCL3Z6ULYk51NNKs
+ajdG04K+qUBGjTPGvw8QzJzZobZFDk6fctWqyPnnk3WpOZIyC0VzpH4+YHZIpz7i
+RGJ8g1DFX4BDZWGFakZZ4LK+2rLimoZEhaRFAoGAIV8lGjqXRNoEsHdKjvultzSj
+WKUOtCkpTkHfN/IUmEm8jM1dfcweS+2Hc/ipAnj4k/F74kQbI4kvOy11F5TEA8uH
+K0cs4ccMlh9FoaOIYAnFSMN+e0CnINe2VSnlvAdwmcuEvh3Zvlqw+X90vV66dRQ3
+U5YHT5U/droMKNJ2h8kCgYAvtI9fA1DPXkd9mCjfTBecjriDZT7cy1DDxVsnoENp
+MMDe0CzOKwbHSU1kf102q9EV1nRHXW2I2WLzMdZyz0xM8ev/43jt8iqUXSfcObTE
+StmRmApEb3qe3QoX3i85WA0FhpFMN+ELj4qL7Y2RoG28DDMBp+vSAcNfmrIbFMC0
+EQKBgAC1bKPabrMl8T8N+UAVLK4yoyzioZ0H47BlaC+3b+FvGBl+DjrbC40HO54T
+qJ3niOgIlDOpbZV829q13ADNaC/XFYfwOL1o18fxnWOJ9jlsrM31Ix3Tegfl1g+c
+Hz9Fsee7Su5dJNNfHTtFA8UhjQpXz9vUHz2tRtnGtd4tlc/z
+-----END RSA PRIVATE KEY-----
diff --git a/packages/system-test/src/main/skel/etc/admin/ssh_host_rsa_key.pub b/packages/system-test/src/main/skel/etc/admin/ssh_host_rsa_key.pub
new file mode 100644
index 00000000000..3af70b34a72
--- /dev/null
+++ b/packages/system-test/src/main/skel/etc/admin/ssh_host_rsa_key.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCymP07Uq8itfNKoKU51bJc7FfhYEVRpxU2rbQJv86MkVONh/3hrIy33tyRBtPzee14vkP2yLuoUtLD6yZ4l3dNoma4+5IyCuUOb1JWvWzW7yoz6jNt644I/uf6lx8PMOEBBF3AGoSXo/8NV/8MTmIDLiV1bgH4on5qq5tPPd4JhfVZmIKfqHdv1VjgFIE93G+dUbNW172N7VmNwjwXpQD0Fpz4C5j3pLoeBuElsQFMfiwvOoJuzugyM1iuEDaYUOkgwfBb3Aotg6nbSAM4TeNnvyeyld9JvAHEK5o2/Ja2diC1PixdsIHSUm5W1om5xllWOU6Yx8bCu21i5ayt07Ax behrmann@Gerds-MacBook-Pro.local
diff --git a/skel/share/defaults/admin.properties b/skel/share/defaults/admin.properties
index 2d749c6c7fd..a62832f2dde 100644
--- a/skel/share/defaults/admin.properties
+++ b/skel/share/defaults/admin.properties
@@ -59,10 +59,11 @@ admin.paths.authorized-keys = ${dcache.paths.admin}/authorized_keys2
 
 #  ---- Hostkey location
 #
-#  Defines the location of the ssh2 server host keys
+#  A comma separated list paths of of ssh server host keys.
 #
 admin.paths.dsa-host-key.private = ${dcache.paths.admin}/ssh_host_dsa_key
 admin.paths.dsa-host-key.public = ${dcache.paths.admin}/ssh_host_dsa_key.pub
+admin.paths.host-keys = ${admin.paths.dsa-host-key.private},${dcache.paths.admin}/ssh_host_rsa_key
 
 # Cell addresses and timeouts of other services
 admin.service.gplazma=${dcache.service.gplazma}
diff --git a/skel/share/services/admin.batch b/skel/share/services/admin.batch
index a0dfe95934b..c0587f441d8 100644
--- a/skel/share/services/admin.batch
+++ b/skel/share/services/admin.batch
@@ -4,8 +4,7 @@ check -strong admin.cell.name
 check admin.cell.subscribe
 check -strong admin.history.size
 check -strong admin.net.port
-check -strong admin.paths.dsa-host-key.private
-check -strong admin.paths.dsa-host-key.public
+check -strong admin.paths.host-keys
 check -strong admin.service.gplazma
 check -strong admin.service.gplazma.timeout
 check -strong admin.service.gplazma.timeout.unit
@@ -29,17 +28,6 @@ check admin.paths.authorized-keys
 check -strong dcache.service.spacemanager
 route add -alias SrmSpaceManager ${dcache.service.spacemanager}
 
-define env failMissingServerKey.exe endDefine
-   say -level=esay "The host key file ${admin.paths.dsa-host-key.private} is missing.  Please generate it with:"
-   say -level=esay "     ssh-keygen -t dsa -f ${admin.paths.dsa-host-key.private} -N \"\""
-   exit 1
-endDefine
-onerror continue
-test -f ${admin.paths.dsa-host-key.private}
-set env have_server_key ${rc}
-onerror shutdown
-exec env failMissingServerKey.exe -ifnotok=have_server_key
-
 create org.dcache.cells.UniversalSpringCell ${admin.cell.name} \
     "classpath:org/dcache/services/ssh2/ssh2Admin.xml \
      -subscribe=${admin.cell.subscribe}"