confd: fix SSH host key generation warnings

Validate keys in gen_hostkey() before passing empty keys to shell scripts,
preventing:

Nov 04 2024 10:54:25 confd[2697]: SSH key (genkey) does not exist, generating...
Nov 04 2024 10:54:25 confd[2697]: writing RSA key
Nov 04 2024 10:54:26 confd[2697]: do_convert_from_pkcs8: /tmp/tmp.FH1Hr1 is not a recognised public key format

Also, fix base64 content formatting with proper 64-character line wrapping
using printf+fold instead of echo.

Use PKCS#1 RSA format for public keys as required by netopeer2-server, while
keeping PKCS#8 format for private keys.  Use proper ssh-keygen format flag
(PKCS8) for correct conversion.

Fixes #1289

Signed-off-by: Joachim Wiberg <[email protected]>

Author: troglobit

board/common/rootfs/usr/libexec/infix/mkkeys

@@ -8,7 +8,8 @@ PUB=$2
 
 mkdir -p "$(dirname "$KEY")" "$(dirname "$PUB")"
 
+# openssl genpkey -quiet -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -outform PEM
 openssl genpkey -quiet -algorithm RSA -pkeyopt rsa_keygen_bits:$BIT -outform PEM > "$KEY"
-openssl rsa -RSAPublicKey_out < "$KEY" > "$PUB"
+openssl rsa -RSAPublicKey_out < "$KEY" 2>/dev/null > "$PUB"
 
 exit 0

board/common/rootfs/usr/libexec/infix/mksshkey

@@ -1,24 +1,29 @@
-#!/bin/bash
-# Store and convert RSA PUBLIC/PRIVATE KEYs to be able to use them in
-# OpenSSHd.
+#!/bin/sh
+# Generate OpenSSH host key pair from same keys as NETCONF
 set -e
+umask 0077
 
 NAME="$1"
 DIR="$2"
 PUBLIC="$3"
 PRIVATE="$4"
 TMP="$(mktemp)"
 
-echo -e '-----BEGIN RSA PRIVATE KEY-----' > "$DIR/$NAME"
-echo "$PRIVATE" >> "$DIR/$NAME"
-echo -e '-----END RSA PRIVATE KEY-----' >> "$DIR/$NAME"
+{
+	echo '-----BEGIN PRIVATE KEY-----'
+	printf '%s\n' "$PRIVATE" | fold -w 64
+	echo '-----END PRIVATE KEY-----'
+} > "$DIR/$NAME"
 
-echo -e "-----BEGIN RSA PUBLIC KEY-----" > "$TMP"
-echo -e "$PUBLIC" >> "$TMP"
-echo -e "-----END RSA PUBLIC KEY-----" >> "$TMP"
+{
+	echo "-----BEGIN RSA PUBLIC KEY-----"
+	printf '%s\n' "$PUBLIC" | fold -w 64
+	echo "-----END RSA PUBLIC KEY-----"
+} > "$TMP"
 
-ssh-keygen -i -m PKCS8 -f "$TMP" > "$DIR/$NAME.pub"
+ssh-keygen -i -f "$TMP" -m PKCS8 > "$DIR/$NAME.pub"
 rm "$TMP"
+
 chmod 0600 "$DIR/$NAME.pub"
 chmod 0600 "$DIR/$NAME"
 chown sshd:sshd "$DIR/$NAME.pub"

doc/ChangeLog.md

@@ -3,7 +3,7 @@ Change Log
 
 All notable changes to the project are documented in this file.
 
-[v25.11.0][] - 2025-11-28
+[v25.11.0][UNRELEASED]
 -------------------------
 
 > [!NOTE]
@@ -79,6 +79,7 @@ All notable changes to the project are documented in this file.
   existing invalid configurations are automatically corrected during upgrade
 - Fix #1255: serious regression in boot time, introduced in v25.10, delays the
   boot step "Mounting filesystems ...", from 30 seconds up to five minutes!
+- Fix #1289: SSH host key generation warning at boot after factory reset
 - Fix broken intra-document links in container and tunnel documentation
 
 [latest-boot]: https://github.com/kernelkit/infix/releases/latest-boot

src/confd/src/keystore.c

@@ -59,12 +59,17 @@ static int gen_hostkey(const char *name, struct lyd_node *change)
 	private_key = lydx_get_cattr(change, "cleartext-private-key");
 	public_key = lydx_get_cattr(change, "public-key");
 
+	/* Validate keys before use */
+	if (!private_key || !public_key || !*private_key || !*public_key)
+		return SR_ERR_OK;
+
 	if (mkdir(SSH_HOSTKEYS_NEXT, 0600) && (errno != EEXIST)) {
 		ERRNO("Failed creating %s", SSH_HOSTKEYS_NEXT);
 		rc = SR_ERR_INTERNAL;
 	}
 
-	if (systemf("/usr/libexec/infix/mksshkey %s %s %s %s", name, SSH_HOSTKEYS_NEXT, public_key, private_key))
+	if (systemf("/usr/libexec/infix/mksshkey %s %s %s %s", name,
+		    SSH_HOSTKEYS_NEXT, public_key, private_key))
 		rc = SR_ERR_INTERNAL;
 
 	return rc;
@@ -156,7 +161,7 @@ static int keystore_update(sr_session_ctx_t *session, struct lyd_node *config, s
 }
 
 int keystore_change(sr_session_ctx_t *session, struct lyd_node *config, struct lyd_node *diff,
-			 sr_event_t event, struct confd *confd)
+		    sr_event_t event, struct confd *confd)
 {
 	struct lyd_node *changes, *change;
 	int rc = SR_ERR_OK;