f5835d
#!/bin/bash
f5835d
f5835d
# Create the host keys for the OpenSSH server.
f5835d
KEYTYPE=$1
f5835d
case $KEYTYPE in
f5835d
	"dsa") ;& # disabled in FIPS
f5835d
	"ed25519")
f5835d
		FIPS=/proc/sys/crypto/fips_enabled
f5835d
		if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then
f5835d
			exit 0
f5835d
		fi ;;
f5835d
	"rsa") ;; # always ok
f5835d
	"ecdsa") ;;
f5835d
	*) # wrong argument
f5835d
		exit 12 ;;
f5835d
esac
f5835d
KEY=/etc/ssh/ssh_host_${KEYTYPE}_key
f5835d
f5835d
KEYGEN=/usr/bin/ssh-keygen
f5835d
if [[ ! -x $KEYGEN ]]; then
f5835d
	exit 13
f5835d
fi
f5835d
f5835d
# remove old keys
f5835d
rm -f $KEY{,.pub}
f5835d
f5835d
# create new keys
f5835d
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
f5835d
	exit 1
f5835d
fi
f5835d
f5835d
# sanitize permissions
f5835d
/usr/bin/chgrp ssh_keys $KEY
f5835d
/usr/bin/chmod 640 $KEY
f5835d
/usr/bin/chmod 644 $KEY.pub
f5835d
if [[ -x /usr/sbin/restorecon ]]; then
f5835d
	/usr/sbin/restorecon $KEY{,.pub}
f5835d
fi
f5835d
f5835d
exit 0