rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
b58e57
#!/bin/bash
b58e57
b58e57
# Create the host keys for the OpenSSH server.
b58e57
#
b58e57
# The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment
b58e57
# variable.
b58e57
AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
b58e57
b58e57
# source function library
b58e57
. /etc/rc.d/init.d/functions
b58e57
b58e57
# Some functions to make the below more readable
b58e57
KEYGEN=/usr/bin/ssh-keygen
b58e57
RSA1_KEY=/etc/ssh/ssh_host_key
b58e57
RSA_KEY=/etc/ssh/ssh_host_rsa_key
b58e57
DSA_KEY=/etc/ssh/ssh_host_dsa_key
b58e57
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
b58e57
ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
b58e57
b58e57
# pull in sysconfig settings
b58e57
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
b58e57
b58e57
fips_enabled() {
b58e57
	if [ -r /proc/sys/crypto/fips_enabled ]; then
b58e57
		cat /proc/sys/crypto/fips_enabled
b58e57
	else
b58e57
		echo 0
b58e57
	fi
b58e57
}
b58e57
b58e57
do_rsa1_keygen() {
b58e57
	if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then
b58e57
		echo -n $"Generating SSH1 RSA host key: "
b58e57
		rm -f $RSA1_KEY
b58e57
		if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
b58e57
			chgrp ssh_keys $RSA1_KEY
b58e57
			chmod 640 $RSA1_KEY
b58e57
			chmod 644 $RSA1_KEY.pub
b58e57
			if [ -x /sbin/restorecon ]; then
b58e57
			    /sbin/restorecon $RSA1_KEY{,.pub}
b58e57
			fi
b58e57
			success $"RSA1 key generation"
b58e57
			echo
b58e57
		else
b58e57
			failure $"RSA1 key generation"
b58e57
			echo
b58e57
			exit 1
b58e57
		fi
b58e57
	fi
b58e57
}
b58e57
b58e57
do_rsa_keygen() {
b58e57
	if [ ! -s $RSA_KEY ]; then
b58e57
		echo -n $"Generating SSH2 RSA host key: "
b58e57
		rm -f $RSA_KEY
b58e57
		if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
b58e57
			chgrp ssh_keys $RSA_KEY
b58e57
			chmod 640 $RSA_KEY
b58e57
			chmod 644 $RSA_KEY.pub
b58e57
			if [ -x /sbin/restorecon ]; then
b58e57
			    /sbin/restorecon $RSA_KEY{,.pub}
b58e57
			fi
b58e57
			success $"RSA key generation"
b58e57
			echo
b58e57
		else
b58e57
			failure $"RSA key generation"
b58e57
			echo
b58e57
			exit 1
b58e57
		fi
b58e57
	fi
b58e57
}
b58e57
b58e57
do_dsa_keygen() {
b58e57
	if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then
b58e57
		echo -n $"Generating SSH2 DSA host key: "
b58e57
		rm -f $DSA_KEY
b58e57
		if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
b58e57
			chgrp ssh_keys $DSA_KEY
b58e57
			chmod 640 $DSA_KEY
b58e57
			chmod 644 $DSA_KEY.pub
b58e57
			if [ -x /sbin/restorecon ]; then
b58e57
			    /sbin/restorecon $DSA_KEY{,.pub}
b58e57
			fi
b58e57
			success $"DSA key generation"
b58e57
			echo
b58e57
		else
b58e57
			failure $"DSA key generation"
b58e57
			echo
b58e57
			exit 1
b58e57
		fi
b58e57
	fi
b58e57
}
b58e57
b58e57
do_ecdsa_keygen() {
b58e57
	if [ ! -s $ECDSA_KEY ]; then
b58e57
		echo -n $"Generating SSH2 ECDSA host key: "
b58e57
		rm -f $ECDSA_KEY
b58e57
		if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
b58e57
			chgrp ssh_keys $ECDSA_KEY
b58e57
			chmod 640 $ECDSA_KEY
b58e57
			chmod 644 $ECDSA_KEY.pub
b58e57
			if [ -x /sbin/restorecon ]; then
b58e57
			    /sbin/restorecon $ECDSA_KEY{,.pub}
b58e57
			fi
b58e57
			success $"ECDSA key generation"
b58e57
			echo
b58e57
		else
b58e57
			failure $"ECDSA key generation"
b58e57
			echo
b58e57
			exit 1
b58e57
		fi
b58e57
	fi
b58e57
}
b58e57
b58e57
do_ed25519_keygen() {
b58e57
	if [ ! -s $ED25519_KEY -a `fips_enabled` -eq 0 ]; then
b58e57
		echo -n $"Generating SSH2 ED25519 host key: "
b58e57
		rm -f $ED25519_KEY
b58e57
		if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
b58e57
			chgrp ssh_keys $ED25519_KEY
b58e57
			chmod 640 $ED25519_KEY
b58e57
			chmod 644 $ED25519_KEY.pub
b58e57
			if [ -x /sbin/restorecon ]; then
b58e57
			    /sbin/restorecon $ED25519_KEY{,.pub}
b58e57
			fi
b58e57
			success $"ED25519 key generation"
b58e57
			echo
b58e57
		else
b58e57
			failure $"ED25519 key generation"
b58e57
			echo
b58e57
			exit 1
b58e57
		fi
b58e57
	fi
b58e57
}
b58e57
b58e57
if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then
b58e57
	exit 0
b58e57
fi
b58e57
b58e57
# legacy options
b58e57
case $AUTOCREATE_SERVER_KEYS in
b58e57
	NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;
b58e57
	RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";;
b58e57
	YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";;
b58e57
esac
b58e57
b58e57
for KEY in $AUTOCREATE_SERVER_KEYS; do
b58e57
	case $KEY in
b58e57
		DSA) do_dsa_keygen;;
b58e57
		RSA) do_rsa_keygen;;
b58e57
		ECDSA) do_ecdsa_keygen;;
b58e57
		ED25519) do_ed25519_keygen;;
b58e57
	esac
b58e57
done