Simplify to only use ED25519 host keys

- Remove RSA and ECDSA key generation (legacy crypto) - Only generate and use ED25519 keys (most secure) - Simplify both main script and dracut module 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-18 21:00:16 +02:00 · 2025-08-18 21:00:16 +02:00 · 4e1129c368
commit 4e1129c368
parent aa9bac2c5b
1 changed files with 18 additions and 26 deletions
--- a/post-install.sh
+++ b/post-install.sh
@ -229,14 +229,12 @@ install() {
        inst /etc/dropbear/authorized_keys /root/.ssh/authorized_keys
    fi
    
-    # Generate host keys if they don't exist
-    for keytype in rsa ecdsa ed25519; do
-        keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
-        if [ ! -f "$keyfile" ]; then
-            dropbearkey -t $keytype -f "$keyfile" 2>/dev/null
-        fi
-        [ -f "$keyfile" ] && inst "$keyfile"
-    done
+    # Install ED25519 host key only
+    keyfile="/etc/dropbear/dropbear_ed25519_host_key"
+    if [ ! -f "$keyfile" ]; then
+        dropbearkey -t ed25519 -f "$keyfile" 2>/dev/null
+    fi
+    [ -f "$keyfile" ] && inst "$keyfile"
    
    # Install the service
    inst_simple "$moddir/dropbear.service" /etc/systemd/system/dropbear.service
@ -289,26 +287,20 @@ mkdir -p /etc/dropbear
 echo "${SSH_KEY}" > /etc/dropbear/authorized_keys
 chmod 600 /etc/dropbear/authorized_keys

-# Generate host keys and display SHA256 fingerprints
-echo "[+] Generating SSH host keys..."
-for keytype in rsa ecdsa ed25519; do
-    keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
-    if [ ! -f "$keyfile" ]; then
-        echo "  - Generating $keytype key..."
-        dropbearkey -t $keytype -f "$keyfile" | grep -v "Generating" || true
-        
-        # Extract and display SHA256 fingerprint for ed25519
-        if [ "$keytype" = "ed25519" ] && command -v ssh-keygen >/dev/null 2>&1; then
-            # Convert dropbear key to OpenSSH format and get SHA256 fingerprint
-            dropbearkey -y -f "$keyfile" | grep "^ssh-" > "/tmp/dropbear_${keytype}.pub"
-            fingerprint=$(ssh-keygen -lf "/tmp/dropbear_${keytype}.pub" -E sha256 2>/dev/null | awk '{print $2}')
-            if [ -n "$fingerprint" ]; then
-                echo "  - ED25519 SHA256 fingerprint: $fingerprint"
-            fi
-            rm -f "/tmp/dropbear_${keytype}.pub"
+# Generate ED25519 host key only (most secure)
+echo "[+] Generating ED25519 SSH host key..."
+keyfile="/etc/dropbear/dropbear_ed25519_host_key"
+if [ ! -f "$keyfile" ]; then
+    dropbearkey -t ed25519 -f "$keyfile" | grep -v "Generating" || true
+    
+    # Display SHA256 fingerprint if ssh-keygen is available
+    if command -v ssh-keygen >/dev/null 2>&1; then
+        fingerprint=$(dropbearkey -y -f "$keyfile" | ssh-keygen -lf - -E sha256 2>/dev/null | awk '{print $2}')
+        if [ -n "$fingerprint" ]; then
+            echo "  SHA256 fingerprint: $fingerprint"
        fi
    fi
-done
+fi

 # Configure dracut
 cat > /etc/dracut.conf.d/60-dropbear-ssh.conf << 'EOF'