#!/bin/bash # Create the host keys for the OpenSSH server. # # The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment # variable. AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519" if [ -f /etc/rc.d/init.d/functions ]; then # source function library . /etc/rc.d/init.d/functions else # minimal implimantation of success and failure function success() { echo -en $"[ OK ]\r" return 0 } failure() { echo -en $"[FAILED]\r" return 1 } fi # Some functions to make the below more readable KEYGEN=/usr/bin/ssh-keygen RSA1_KEY=/etc/ssh/ssh_host_key RSA_KEY=/etc/ssh/ssh_host_rsa_key DSA_KEY=/etc/ssh/ssh_host_dsa_key ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key ED25519_KEY=/etc/ssh/ssh_host_ed25519_key # pull in sysconfig settings [ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd fips_enabled() { if [ -r /proc/sys/crypto/fips_enabled ]; then cat /proc/sys/crypto/fips_enabled else echo 0 fi } do_rsa1_keygen() { if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then echo -n $"Generating SSH1 RSA host key: " rm -f $RSA1_KEY if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then chgrp ssh_keys $RSA1_KEY chmod 640 $RSA1_KEY chmod 644 $RSA1_KEY.pub if [ -x /sbin/restorecon ]; then /sbin/restorecon $RSA1_KEY{,.pub} fi success $"RSA1 key generation" echo else failure $"RSA1 key generation" echo exit 1 fi fi } do_rsa_keygen() { if [ ! -s $RSA_KEY ]; then echo -n $"Generating SSH2 RSA host key: " rm -f $RSA_KEY if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then chgrp ssh_keys $RSA_KEY chmod 640 $RSA_KEY chmod 644 $RSA_KEY.pub if [ -x /sbin/restorecon ]; then /sbin/restorecon $RSA_KEY{,.pub} fi success $"RSA key generation" echo else failure $"RSA key generation" echo exit 1 fi fi } do_dsa_keygen() { if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then echo -n $"Generating SSH2 DSA host key: " rm -f $DSA_KEY if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then chgrp ssh_keys $DSA_KEY chmod 640 $DSA_KEY chmod 644 $DSA_KEY.pub if [ -x /sbin/restorecon ]; then /sbin/restorecon $DSA_KEY{,.pub} fi success $"DSA key generation" echo else failure $"DSA key generation" echo exit 1 fi fi } do_ecdsa_keygen() { if [ ! -s $ECDSA_KEY ]; then echo -n $"Generating SSH2 ECDSA host key: " rm -f $ECDSA_KEY if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then chgrp ssh_keys $ECDSA_KEY chmod 640 $ECDSA_KEY chmod 644 $ECDSA_KEY.pub if [ -x /sbin/restorecon ]; then /sbin/restorecon $ECDSA_KEY{,.pub} fi success $"ECDSA key generation" echo else failure $"ECDSA key generation" echo exit 1 fi fi } do_ed25519_keygen() { if [ ! -s $ED25519_KEY -a `fips_enabled` -eq 0 ]; then echo -n $"Generating SSH2 ED25519 host key: " rm -f $ED25519_KEY if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then chgrp ssh_keys $ED25519_KEY chmod 640 $ED25519_KEY chmod 644 $ED25519_KEY.pub if [ -x /sbin/restorecon ]; then /sbin/restorecon $ED25519_KEY{,.pub} fi success $"ED25519 key generation" echo else failure $"ED25519 key generation" echo exit 1 fi fi } if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then exit 0 fi # legacy options case $AUTOCREATE_SERVER_KEYS in NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";; RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";; YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";; esac for KEY in $AUTOCREATE_SERVER_KEYS; do case $KEY in DSA) do_dsa_keygen;; RSA) do_rsa_keygen;; ECDSA) do_ecdsa_keygen;; ED25519) do_ed25519_keygen;; esac done