xref: /freebsd/libexec/rc/rc.d/sshd (revision 56b17de1e8360fe131d425de20b5e75ff3ea897c)
1#!/bin/sh
2#
3#
4
5# PROVIDE: sshd
6# REQUIRE: LOGIN FILESYSTEMS
7# KEYWORD: shutdown
8
9. /etc/rc.subr
10
11name="sshd"
12desc="Secure Shell Daemon"
13rcvar="sshd_enable"
14command="/usr/sbin/${name}"
15keygen_cmd="sshd_keygen"
16start_precmd="sshd_precmd"
17reload_precmd="sshd_configtest"
18restart_precmd="sshd_configtest"
19configtest_cmd="sshd_configtest"
20pidfile="/var/run/${name}.pid"
21extra_commands="configtest keygen reload"
22
23: ${sshd_rsa_enable:="yes"}
24: ${sshd_dsa_enable:="no"}
25: ${sshd_ecdsa_enable:="yes"}
26: ${sshd_ed25519_enable:="yes"}
27
28# sshd in a jail would not see other jails. As such exclude it from
29# svcj_all_enable="YES" by setting sshd_svcj to NO. This allows to
30# enable it in rc.conf.
31: ${sshd_svcj:="NO"}
32: ${sshd_svcj_options:="net_basic"}
33
34sshd_keygen_alg()
35{
36	local alg=$1
37	local ALG="$(echo $alg | tr a-z A-Z)"
38	local keyfile
39
40	if ! checkyesno "sshd_${alg}_enable" ; then
41		return 0
42	fi
43
44	case $alg in
45	rsa|dsa|ecdsa|ed25519)
46		keyfile="/etc/ssh/ssh_host_${alg}_key"
47		;;
48	*)
49		return 1
50		;;
51	esac
52
53	if [ -f "${keyfile}" ] ; then
54		info "$ALG host key exists."
55		return 0
56	fi
57
58	if [ ! -x /usr/bin/ssh-keygen ] ; then
59		warn "/usr/bin/ssh-keygen does not exist."
60		return 1
61	fi
62
63	echo "Generating $ALG host key."
64	/usr/bin/ssh-keygen -q -t $alg -f "$keyfile" -N ""
65	/usr/bin/ssh-keygen -l -f "$keyfile.pub"
66}
67
68sshd_keygen()
69{
70	sshd_keygen_alg rsa
71	sshd_keygen_alg dsa
72	sshd_keygen_alg ecdsa
73	sshd_keygen_alg ed25519
74}
75
76sshd_configtest()
77{
78	echo "Performing sanity check on ${name} configuration."
79	eval ${command} ${sshd_flags} -t
80}
81
82sshd_precmd()
83{
84	run_rc_command keygen
85	run_rc_command configtest
86}
87
88load_rc_config $name
89run_rc_command "$1"
90