Petr Šabata 81d24c
#!/bin/bash
Petr Šabata 81d24c
Petr Šabata 81d24c
# Create the host keys for the OpenSSH server.
Petr Šabata 81d24c
KEYTYPE=$1
Petr Šabata 81d24c
case $KEYTYPE in
Petr Šabata 81d24c
	"dsa") ;& # disabled in FIPS
Petr Šabata 81d24c
	"ed25519")
Petr Šabata 81d24c
		FIPS=/proc/sys/crypto/fips_enabled
Petr Šabata 81d24c
		if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then
Petr Šabata 81d24c
			exit 0
Petr Šabata 81d24c
		fi ;;
Zoltan Fridrich 01178d
	"rsa")
Zoltan Fridrich 01178d
		if [[ ! -z $SSH_RSA_BITS  ]]; then
Zoltan Fridrich 01178d
			SSH_KEYGEN_OPTIONS="-b $SSH_RSA_BITS"
Zoltan Fridrich 01178d
		fi ;; # always ok
Zoltan Fridrich 01178d
	"ecdsa") 
Zoltan Fridrich 01178d
		if [[ ! -z $SSH_ECDSA_BITS  ]]; then
Zoltan Fridrich 01178d
			SSH_KEYGEN_OPTIONS="-b $SSH_ECDSA_BITS"
Zoltan Fridrich 01178d
		fi ;;
Petr Šabata 81d24c
	*) # wrong argument
Petr Šabata 81d24c
		exit 12 ;;
Petr Šabata 81d24c
esac
Petr Šabata 81d24c
KEY=/etc/ssh/ssh_host_${KEYTYPE}_key
Petr Šabata 81d24c
Petr Šabata 81d24c
KEYGEN=/usr/bin/ssh-keygen
Petr Šabata 81d24c
if [[ ! -x $KEYGEN ]]; then
Petr Šabata 81d24c
	exit 13
Petr Šabata 81d24c
fi
Petr Šabata 81d24c
Petr Šabata 81d24c
# remove old keys
Petr Šabata 81d24c
rm -f $KEY{,.pub}
Petr Šabata 81d24c
Petr Šabata 81d24c
# create new keys
Zoltan Fridrich 01178d
if ! $KEYGEN -q -t $KEYTYPE $SSH_KEYGEN_OPTIONS -f $KEY -C '' -N '' >&/dev/null; then
Petr Šabata 81d24c
	exit 1
Petr Šabata 81d24c
fi
Petr Šabata 81d24c
Petr Šabata 81d24c
# sanitize permissions
Petr Šabata 81d24c
/usr/bin/chgrp ssh_keys $KEY
Petr Šabata 81d24c
/usr/bin/chmod 640 $KEY
Petr Šabata 81d24c
/usr/bin/chmod 644 $KEY.pub
Petr Šabata 81d24c
if [[ -x /usr/sbin/restorecon ]]; then
Petr Šabata 81d24c
	/usr/sbin/restorecon $KEY{,.pub}
Petr Šabata 81d24c
fi
Petr Šabata 81d24c
Petr Šabata 81d24c
exit 0