|
Jakub Jelen |
1d8ffc |
#!/bin/bash
|
|
Jakub Jelen |
1d8ffc |
|
|
Jakub Jelen |
1d8ffc |
# simple helper script, which substitutes a token in configuration file with
|
|
Jakub Jelen |
1d8ffc |
# system wide crypto policy, if installed. If not, this script just copies the
|
|
Jakub Jelen |
1d8ffc |
# configuration file to the runtime file, that will be used by the SSHD daemon.
|
|
Jakub Jelen |
1d8ffc |
|
|
Jakub Jelen |
1d8ffc |
SSHD_CONFIG="/etc/ssh/sshd_config"
|
|
Jakub Jelen |
1d8ffc |
SSHD_CONFIG_RUNTIME="/run/openssh/sshd_config"
|
|
Jakub Jelen |
1d8ffc |
CRYPTO_POLICIES="/etc/crypto-policies/back-ends/openssh.config"
|
|
Jakub Jelen |
1d8ffc |
|
|
Jakub Jelen |
1d8ffc |
if [ ! -f "$CRYPTO_POLICIES" ]; then
|
|
Jakub Jelen |
1d8ffc |
# if not installed, copy just the template
|
|
Jakub Jelen |
1d8ffc |
# (to overwrite potential old policy)
|
|
Jakub Jelen |
1d8ffc |
cat "$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME"
|
|
Jakub Jelen |
1d8ffc |
else
|
|
Jakub Jelen |
1d8ffc |
# do the substitution.
|
|
Jakub Jelen |
1d8ffc |
sed -e '/#{INCLUDE_CRYPTO_POLICY}#/ {' -e "r $CRYPTO_POLICIES" -e 'd' -e '}' \
|
|
Jakub Jelen |
1d8ffc |
"$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME"
|
|
Jakub Jelen |
1d8ffc |
fi
|
|
Jakub Jelen |
1d8ffc |
|
|
Jakub Jelen |
1d8ffc |
# XXX should be taken care of in SELinux somehow
|
|
Jakub Jelen |
1d8ffc |
# set reasonable label if it gets the default (do not overwrite fixed)
|
|
Jakub Jelen |
1d8ffc |
ls -Z $SSHD_CONFIG_RUNTIME | grep -q var_run_t && chcon -t etc_t $SSHD_CONFIG_RUNTIME
|
|
Jakub Jelen |
1d8ffc |
|
|
Jakub Jelen |
1d8ffc |
# makes sure we have sane permissions as the original file has.
|
|
Jakub Jelen |
1d8ffc |
chmod 600 $SSHD_CONFIG_RUNTIME
|
|
Jakub Jelen |
1d8ffc |
|
|
Jakub Jelen |
1d8ffc |
# reload the service if requested
|
|
Jakub Jelen |
1d8ffc |
if [ "$1" = "reload" ]; then
|
|
Jakub Jelen |
1d8ffc |
/bin/kill -HUP $2
|
|
Jakub Jelen |
1d8ffc |
fi
|