| #!/bin/bash |
| |
| # Create the host keys for the OpenSSH server. |
| # |
| # The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment |
| # variable. |
| AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519" |
| |
| # source function library |
| . /etc/rc.d/init.d/functions |
| |
| # Some functions to make the below more readable |
| KEYGEN=/usr/bin/ssh-keygen |
| RSA1_KEY=/etc/ssh/ssh_host_key |
| RSA_KEY=/etc/ssh/ssh_host_rsa_key |
| DSA_KEY=/etc/ssh/ssh_host_dsa_key |
| ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key |
| ED25519_KEY=/etc/ssh/ssh_host_ed25519_key |
| |
| # pull in sysconfig settings |
| [ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd |
| |
| fips_enabled() { |
| if [ -r /proc/sys/crypto/fips_enabled ]; then |
| cat /proc/sys/crypto/fips_enabled |
| else |
| echo 0 |
| fi |
| } |
| |
| do_rsa1_keygen() { |
| if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then |
| echo -n $"Generating SSH1 RSA host key: " |
| rm -f $RSA1_KEY |
| if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then |
| chgrp ssh_keys $RSA1_KEY |
| chmod 640 $RSA1_KEY |
| chmod 644 $RSA1_KEY.pub |
| if [ -x /sbin/restorecon ]; then |
| /sbin/restorecon $RSA1_KEY{,.pub} |
| fi |
| success $"RSA1 key generation" |
| echo |
| else |
| failure $"RSA1 key generation" |
| echo |
| exit 1 |
| fi |
| fi |
| } |
| |
| do_rsa_keygen() { |
| if [ ! -s $RSA_KEY ]; then |
| echo -n $"Generating SSH2 RSA host key: " |
| rm -f $RSA_KEY |
| if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then |
| chgrp ssh_keys $RSA_KEY |
| chmod 640 $RSA_KEY |
| chmod 644 $RSA_KEY.pub |
| if [ -x /sbin/restorecon ]; then |
| /sbin/restorecon $RSA_KEY{,.pub} |
| fi |
| success $"RSA key generation" |
| echo |
| else |
| failure $"RSA key generation" |
| echo |
| exit 1 |
| fi |
| fi |
| } |
| |
| do_dsa_keygen() { |
| if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then |
| echo -n $"Generating SSH2 DSA host key: " |
| rm -f $DSA_KEY |
| if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then |
| chgrp ssh_keys $DSA_KEY |
| chmod 640 $DSA_KEY |
| chmod 644 $DSA_KEY.pub |
| if [ -x /sbin/restorecon ]; then |
| /sbin/restorecon $DSA_KEY{,.pub} |
| fi |
| success $"DSA key generation" |
| echo |
| else |
| failure $"DSA key generation" |
| echo |
| exit 1 |
| fi |
| fi |
| } |
| |
| do_ecdsa_keygen() { |
| if [ ! -s $ECDSA_KEY ]; then |
| echo -n $"Generating SSH2 ECDSA host key: " |
| rm -f $ECDSA_KEY |
| if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then |
| chgrp ssh_keys $ECDSA_KEY |
| chmod 640 $ECDSA_KEY |
| chmod 644 $ECDSA_KEY.pub |
| if [ -x /sbin/restorecon ]; then |
| /sbin/restorecon $ECDSA_KEY{,.pub} |
| fi |
| success $"ECDSA key generation" |
| echo |
| else |
| failure $"ECDSA key generation" |
| echo |
| exit 1 |
| fi |
| fi |
| } |
| |
| do_ed25519_keygen() { |
| if [ ! -s $ED25519_KEY -a `fips_enabled` -eq 0 ]; then |
| echo -n $"Generating SSH2 ED25519 host key: " |
| rm -f $ED25519_KEY |
| if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then |
| chgrp ssh_keys $ED25519_KEY |
| chmod 640 $ED25519_KEY |
| chmod 644 $ED25519_KEY.pub |
| if [ -x /sbin/restorecon ]; then |
| /sbin/restorecon $ED25519_KEY{,.pub} |
| fi |
| success $"ED25519 key generation" |
| echo |
| else |
| failure $"ED25519 key generation" |
| echo |
| exit 1 |
| fi |
| fi |
| } |
| |
| if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then |
| exit 0 |
| fi |
| |
| # legacy options |
| case $AUTOCREATE_SERVER_KEYS in |
| NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";; |
| RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";; |
| YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";; |
| esac |
| |
| for KEY in $AUTOCREATE_SERVER_KEYS; do |
| case $KEY in |
| DSA) do_dsa_keygen;; |
| RSA) do_rsa_keygen;; |
| ECDSA) do_ecdsa_keygen;; |
| ED25519) do_ed25519_keygen;; |
| esac |
| done |