diff --git a/sshd-keygen b/sshd-keygen index c34c7a7..d3c21a7 100644 --- a/sshd-keygen +++ b/sshd-keygen @@ -4,18 +4,35 @@ # # The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment # variable. +AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519" -# source function library -. /etc/rc.d/init.d/functions - -# pull in sysconfig settings -[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd +if [ -f /etc/rc.d/init.d/functions ]; then + # source function library + . /etc/rc.d/init.d/functions +else + # minimal implimantation of success and failure function + success() + { + echo -en $"[ OK ]\r" + return 0 + } + failure() + { + echo -en $"[FAILED]\r" + return 1 + } +fi # Some functions to make the below more readable KEYGEN=/usr/bin/ssh-keygen RSA1_KEY=/etc/ssh/ssh_host_key RSA_KEY=/etc/ssh/ssh_host_rsa_key DSA_KEY=/etc/ssh/ssh_host_dsa_key +ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key +ED25519_KEY=/etc/ssh/ssh_host_ed25519_key + +# pull in sysconfig settings +[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd do_rsa1_keygen() { if [ ! -s $RSA1_KEY ]; then @@ -23,10 +40,10 @@ do_rsa1_keygen() { rm -f $RSA1_KEY if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then chgrp ssh_keys $RSA1_KEY - chmod 600 $RSA1_KEY + chmod 640 $RSA1_KEY chmod 644 $RSA1_KEY.pub if [ -x /sbin/restorecon ]; then - /sbin/restorecon $RSA1_KEY.pub + /sbin/restorecon $RSA1_KEY{,.pub} fi success $"RSA1 key generation" echo @@ -44,10 +61,10 @@ do_rsa_keygen() { rm -f $RSA_KEY if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then chgrp ssh_keys $RSA_KEY - chmod 600 $RSA_KEY + chmod 640 $RSA_KEY chmod 644 $RSA_KEY.pub if [ -x /sbin/restorecon ]; then - /sbin/restorecon $RSA_KEY.pub + /sbin/restorecon $RSA_KEY{,.pub} fi success $"RSA key generation" echo @@ -65,10 +82,10 @@ do_dsa_keygen() { rm -f $DSA_KEY if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then chgrp ssh_keys $DSA_KEY - chmod 600 $DSA_KEY + chmod 640 $DSA_KEY chmod 644 $DSA_KEY.pub if [ -x /sbin/restorecon ]; then - /sbin/restorecon $DSA_KEY.pub + /sbin/restorecon $DSA_KEY{,.pub} fi success $"DSA key generation" echo @@ -80,11 +97,64 @@ do_dsa_keygen() { fi } -# Create keys if necessary -if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then - do_rsa_keygen - if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then - do_rsa1_keygen - do_dsa_keygen +do_ecdsa_keygen() { + if [ ! -s $ECDSA_KEY ]; then + echo -n $"Generating SSH2 ECDSA host key: " + rm -f $ECDSA_KEY + if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then + chgrp ssh_keys $ECDSA_KEY + chmod 640 $ECDSA_KEY + chmod 644 $ECDSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $ECDSA_KEY{,.pub} + fi + success $"ECDSA key generation" + echo + else + failure $"ECDSA key generation" + echo + exit 1 + fi fi +} + +do_ed25519_keygen() { + if [ ! -s $ED25519_KEY ]; then + echo -n $"Generating SSH2 ED25519 host key: " + rm -f $ED25519_KEY + if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then + chgrp ssh_keys $ED25519_KEY + chmod 640 $ED25519_KEY + chmod 644 $ED25519_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $ED25519_KEY{,.pub} + fi + success $"ED25519 key generation" + echo + else + failure $"ED25519 key generation" + echo + exit 1 + fi + fi +} + +if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then + exit 0 fi + +# legacy options +case $AUTOCREATE_SERVER_KEYS in + NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";; + RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";; + YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";; +esac + +for KEY in $AUTOCREATE_SERVER_KEYS; do + case $KEY in + DSA) do_dsa_keygen;; + RSA) do_rsa_keygen;; + ECDSA) do_ecdsa_keygen;; + ED25519) do_ed25519_keygen;; + esac +done