From: naddy <naddy@openbsd.org>
Date: Sun, 1 Oct 2023 20:15:23 +0000 (+0000)
Subject: show fingerprint of freshly generated ssh host key on first boot
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=b6013e365a1567cd23c951859a49d905eaa256db;p=openbsd

show fingerprint of freshly generated ssh host key on first boot

Print to the console the fingerprint of a newly generated ssh host
key of the preferred type (currently ED25519), typically when booting
for the first time.  This simplifies a secure first ssh connection to
a freshly installed machine.

ok deraadt@ kn@, and various for earlier iterations
---

diff --git a/etc/rc b/etc/rc
index ea30a76aec4..9d87fac8caf 100644
--- a/etc/rc
+++ b/etc/rc
@@ -1,4 +1,4 @@
-#	$OpenBSD: rc,v 1.571 2023/04/26 14:28:09 phessler Exp $
+#	$OpenBSD: rc,v 1.572 2023/10/01 20:15:23 naddy Exp $
 
 # System startup script run by init on autoboot or after single-user.
 # Output and error are redirected to console by init, and the console is the
@@ -137,6 +137,7 @@ make_keys() {
 	local _isakmpd_pub=/etc/isakmpd/local.pub
 	local _iked_key=/etc/iked/private/local.key
 	local _iked_pub=/etc/iked/local.pub
+	local _ssh_pub=/etc/ssh/ssh_host_ed25519_key.pub _show_ssh_fp=false
 
 	if [[ ! -f $_isakmpd_key ]]; then
 		echo -n "openssl: generating isakmpd RSA keys... "
@@ -162,7 +163,10 @@ make_keys() {
 		fi
 	fi
 
+	[[ -f $_ssh_pub ]] || _show_ssh_fp=true
 	ssh-keygen -A
+	$_show_ssh_fp && ssh-keygen -lf $_ssh_pub |
+	    (read sz fp comm type && echo "sshd: $type $fp")
 
 	if [[ ! -f /etc/soii.key ]]; then
 		openssl rand -hex 16 > /etc/soii.key &&