aedd00
#!/bin/bash
aedd00
aedd00
# Create the host keys for the OpenSSH server.
aedd00
KEYTYPE=$1
aedd00
case $KEYTYPE in
aedd00
	"dsa") ;& # disabled in FIPS
aedd00
	"ed25519")
aedd00
		FIPS=/proc/sys/crypto/fips_enabled
aedd00
		if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then
aedd00
			exit 0
aedd00
		fi ;;
aedd00
	"rsa") ;; # always ok
aedd00
	"ecdsa") ;;
aedd00
	*) # wrong argument
aedd00
		exit 12 ;;
aedd00
esac
aedd00
KEY=/etc/ssh/ssh_host_${KEYTYPE}_key
aedd00
aedd00
KEYGEN=/usr/bin/ssh-keygen
aedd00
if [[ ! -x $KEYGEN ]]; then
aedd00
	exit 13
aedd00
fi
aedd00
aedd00
# remove old keys
aedd00
rm -f $KEY{,.pub}
aedd00
aedd00
# create new keys
aedd00
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
aedd00
	exit 1
aedd00
fi
aedd00
aedd00
# sanitize permissions
aedd00
/usr/bin/chgrp ssh_keys $KEY
aedd00
/usr/bin/chmod 640 $KEY
aedd00
/usr/bin/chmod 644 $KEY.pub
aedd00
if [[ -x /usr/sbin/restorecon ]]; then
aedd00
	/usr/sbin/restorecon $KEY{,.pub}
aedd00
fi
aedd00
aedd00
exit 0