From aa9bac2c5bb219e9ff0f4aa5d5180bbaae1fa497 Mon Sep 17 00:00:00 2001 From: Dominik Roth Date: Mon, 18 Aug 2025 20:55:40 +0200 Subject: [PATCH] Add SHA256 fingerprint display for ED25519 host key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Show SHA256 fingerprint for ed25519 key (modern standard) - Keep SHA1 output from dropbearkey for other keys - Clean up key generation output 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- post-install.sh | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/post-install.sh b/post-install.sh index 2856e24..218de27 100755 --- a/post-install.sh +++ b/post-install.sh @@ -289,10 +289,25 @@ mkdir -p /etc/dropbear echo "${SSH_KEY}" > /etc/dropbear/authorized_keys chmod 600 /etc/dropbear/authorized_keys -# Generate host keys +# Generate host keys and display SHA256 fingerprints +echo "[+] Generating SSH host keys..." for keytype in rsa ecdsa ed25519; do keyfile="/etc/dropbear/dropbear_${keytype}_host_key" - [ ! -f "$keyfile" ] && dropbearkey -t $keytype -f "$keyfile" + if [ ! -f "$keyfile" ]; then + echo " - Generating $keytype key..." + dropbearkey -t $keytype -f "$keyfile" | grep -v "Generating" || true + + # Extract and display SHA256 fingerprint for ed25519 + if [ "$keytype" = "ed25519" ] && command -v ssh-keygen >/dev/null 2>&1; then + # Convert dropbear key to OpenSSH format and get SHA256 fingerprint + dropbearkey -y -f "$keyfile" | grep "^ssh-" > "/tmp/dropbear_${keytype}.pub" + fingerprint=$(ssh-keygen -lf "/tmp/dropbear_${keytype}.pub" -E sha256 2>/dev/null | awk '{print $2}') + if [ -n "$fingerprint" ]; then + echo " - ED25519 SHA256 fingerprint: $fingerprint" + fi + rm -f "/tmp/dropbear_${keytype}.pub" + fi + fi done # Configure dracut