9070b3
#!/bin/bash
9070b3
9070b3
# Create the host keys for the OpenSSH server.
9070b3
KEYTYPE=$1
9070b3
case $KEYTYPE in
9070b3
	"dsa") ;& # disabled in FIPS
9070b3
	"ed25519")
9070b3
		FIPS=/proc/sys/crypto/fips_enabled
9070b3
		if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then
9070b3
			exit 0
9070b3
		fi ;;
9070b3
	"rsa") ;; # always ok
9070b3
	"ecdsa") ;;
9070b3
	*) # wrong argument
9070b3
		exit 12 ;;
9070b3
esac
9070b3
KEY=/etc/ssh/ssh_host_${KEYTYPE}_key
9070b3
9070b3
KEYGEN=/usr/bin/ssh-keygen
9070b3
if [[ ! -x $KEYGEN ]]; then
9070b3
	exit 13
9070b3
fi
9070b3
9070b3
# remove old keys
9070b3
rm -f $KEY{,.pub}
9070b3
9070b3
# create new keys
9070b3
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
9070b3
	exit 1
9070b3
fi
9070b3
9070b3
# sanitize permissions
9070b3
/usr/bin/chgrp ssh_keys $KEY
9070b3
/usr/bin/chmod 640 $KEY
9070b3
/usr/bin/chmod 644 $KEY.pub
9070b3
if [[ -x /usr/sbin/restorecon ]]; then
9070b3
	/usr/sbin/restorecon $KEY{,.pub}
9070b3
fi
9070b3
9070b3
exit 0