bin/56835: sshd startup script produces very misleading "UNSAFE KEYS" warnings

[tgl%sss.pgh.pa.us@localhost]

>Number:         56835
>Category:       bin
>Synopsis:       sshd startup script produces very misleading "UNSAFE KEYS" warnings
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sat May 14 18:25:01 +0000 2022
>Originator:     Tom Lane
>Release:        HEAD/202205021430Z (problem may be old, though)
>Organization:
PostgreSQL Global Development Group
>Environment:
NetBSD sss2.sss.pgh.pa.us 9.99.96 NetBSD 9.99.96 (GENERIC) #2: Sat May 14 11:02:34 EDT 2022  tgl%nuc1.sss.pgh.pa.us@localhost:/home/tgl/netbsd-H-202205021430Z/obj.hppa/sys/arch/hppa/compile/GENERIC hppa
>Description:
/etc/rc.d/sshd modifies /etc/motd to warn you if your sshd keys have been generated with low entropy.  That's great, or would be if the warning weren't so misleading.  What it actually does is to update /etc/motd unconditionally based on the state of "kern.entropy.needed" when you last started sshd, regardless of the age of your keys.  This has at least two bad failure modes:

* If, for some reason, you boot without adequate entropy, it will start warning you, even if your key files predate the reboot and are perfectly secure.  (I ran into this case when the entropy file disappeared due to a kernel panic.)

* After you reboot with adequate entropy, it will stop warning you, even if your key files were made with inadequate entropy.  IMO this is bad enough to be on the edge of being a security bug; anyone who takes the warning at face value will be misled.
>How-To-Repeat:
* Install new system on machine with no hardware entropy source.  Enable sshd.

* Log in, note presence of warning (good).

* Provide entropy, eg cat whatever >/dev/urandom.

* Once kern.entropy.needed is down to zero, reboot, *without* doing the recommended key regen.

* Log in, note absence of warning (bad).
>Fix:
I think the script should only change motd when it actually made new key files.  Here's one attempt:
-----

Index: sshd
===================================================================
RCS file: /cvsroot/src/etc/rc.d/sshd,v
retrieving revision 1.31
diff -u -r1.31 sshd
--- sshd        26 Sep 2021 10:53:20 -0000      1.31
+++ sshd        14 May 2022 17:54:16 -0000
@@ -45,6 +45,7 @@
 (
        keygen="/usr/bin/ssh-keygen"
        umask 022
+       madesomething=no
        while read type bits filename;  do
                f="/etc/ssh/$filename"
                if [ "$1" != "force" ] && [ -f "$f" ]; then
@@ -58,14 +59,17 @@
                esac
                "${keygen}" -t "${type}" ${bitarg} -f "${f}" -N '' -q && \
                    printf "ssh-keygen: " && "${keygen}" -f "${f}" -l
+               madesomething=yes
        done << _EOF
 dsa    1024    ssh_host_dsa_key
 ecdsa  521     ssh_host_ecdsa_key
 ed25519        -1      ssh_host_ed25519_key
 rsa    0       ssh_host_rsa_key
 _EOF
+       if [ "$madesomething" = yes ]; then
+           sshd_motd_unsafe_keys_warning
+       fi
 )
-       sshd_motd_unsafe_keys_warning
 }
 
 sshd_precmd()

-----
This has still got some failure modes, notably if we updated only some of the key files for some reason.  That seems like a pretty edgy edge case though, and I'm not sure there's a good way to deal with it.  In any case, this seems a lot better than what's there now.