| #!/bin/bash |
| |
| # Create the host keys for the OpenSSH server. |
| KEYTYPE=$1 |
| case $KEYTYPE in |
| "dsa") ;& # disabled in FIPS |
| "ed25519") |
| FIPS=/proc/sys/crypto/fips_enabled |
| if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then |
| exit 0 |
| fi ;; |
| "rsa") ;; # always ok |
| "ecdsa") ;; |
| *) # wrong argument |
| exit 12 ;; |
| esac |
| KEY=/etc/ssh/ssh_host_${KEYTYPE}_key |
| |
| KEYGEN=/usr/bin/ssh-keygen |
| if [[ ! -x $KEYGEN ]]; then |
| exit 13 |
| fi |
| |
| # remove old keys |
| rm -f $KEY{,.pub} |
| |
| # create new keys |
| if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then |
| exit 1 |
| fi |
| |
| # sanitize permissions |
| /usr/bin/chgrp ssh_keys $KEY |
| /usr/bin/chmod 640 $KEY |
| /usr/bin/chmod 644 $KEY.pub |
| if [[ -x /usr/sbin/restorecon ]]; then |
| /usr/sbin/restorecon $KEY{,.pub} |
| fi |
| |
| exit 0 |