17c478bd9Sstevel@tonic-gate#!/sbin/sh 27c478bd9Sstevel@tonic-gate# 3ead1f93eSLiane Praza# Copyright 2010 Sun Microsystems, Inc. All rights reserved. 47c478bd9Sstevel@tonic-gate# Use is subject to license terms. 57c478bd9Sstevel@tonic-gate# 67ddce999SHans Rosenfeld# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> 77ddce999SHans Rosenfeld# 8eb1a3463STruong Nguyen 9eb1a3463STruong Nguyen. /lib/svc/share/ipf_include.sh 10ead1f93eSLiane Praza. /lib/svc/share/smf_include.sh 117c478bd9Sstevel@tonic-gate 127c478bd9Sstevel@tonic-gateSSHDIR=/etc/ssh 137c478bd9Sstevel@tonic-gateKEYGEN="/usr/bin/ssh-keygen -q" 147c478bd9Sstevel@tonic-gatePIDFILE=/var/run/sshd.pid 157c478bd9Sstevel@tonic-gate 167c478bd9Sstevel@tonic-gate# Checks to see if RSA, and DSA host keys are available 177c478bd9Sstevel@tonic-gate# if any of these keys are not present, the respective keys are created. 187c478bd9Sstevel@tonic-gatecreate_key() 197c478bd9Sstevel@tonic-gate{ 207c478bd9Sstevel@tonic-gate keypath=$1 217c478bd9Sstevel@tonic-gate keytype=$2 227c478bd9Sstevel@tonic-gate 237c478bd9Sstevel@tonic-gate if [ ! -f $keypath ]; then 24ead1f93eSLiane Praza # 25ead1f93eSLiane Praza # HostKey keywords in sshd_config may be preceded or 26ead1f93eSLiane Praza # followed by a mix of any number of space or tabs, 27ead1f93eSLiane Praza # and optionally have an = between keyword and 28ead1f93eSLiane Praza # argument. We use two grep invocations such that we 29ead1f93eSLiane Praza # can match HostKey case insensitively but still have 30ead1f93eSLiane Praza # the case of the path name be significant, keeping 31ead1f93eSLiane Praza # the pattern somewhat more readable. 32ead1f93eSLiane Praza # 33ead1f93eSLiane Praza # The character classes below contain one literal 34ead1f93eSLiane Praza # space and one literal tab. 35ead1f93eSLiane Praza # 36ead1f93eSLiane Praza grep -i "^[ ]*HostKey[ ]*=\{0,1\}[ ]*$keypath" \ 37ead1f93eSLiane Praza $SSHDIR/sshd_config | grep "$keypath" > /dev/null 2>&1 38ead1f93eSLiane Praza 397c478bd9Sstevel@tonic-gate if [ $? -eq 0 ]; then 407c478bd9Sstevel@tonic-gate echo Creating new $keytype public/private host key pair 417c478bd9Sstevel@tonic-gate $KEYGEN -f $keypath -t $keytype -N '' 42ead1f93eSLiane Praza if [ $? -ne 0 ]; then 43ead1f93eSLiane Praza echo "Could not create $keytype key: $keypath" 44ead1f93eSLiane Praza exit $SMF_EXIT_ERR_CONFIG 457c478bd9Sstevel@tonic-gate fi 467c478bd9Sstevel@tonic-gate fi 47ead1f93eSLiane Praza fi 487c478bd9Sstevel@tonic-gate} 497c478bd9Sstevel@tonic-gate 50eb1a3463STruong Nguyencreate_ipf_rules() 51eb1a3463STruong Nguyen{ 52eb1a3463STruong Nguyen FMRI=$1 53eb1a3463STruong Nguyen ipf_file=`fmri_to_file ${FMRI} $IPF_SUFFIX` 547ddce999SHans Rosenfeld ipf6_file=`fmri_to_file ${FMRI} $IPF6_SUFFIX` 55eb1a3463STruong Nguyen policy=`get_policy ${FMRI}` 56eb1a3463STruong Nguyen 57eb1a3463STruong Nguyen # 58eb1a3463STruong Nguyen # Get port from /etc/ssh/sshd_config 59eb1a3463STruong Nguyen # 60eb1a3463STruong Nguyen tports=`grep "^Port" /etc/ssh/sshd_config 2>/dev/null | \ 61eb1a3463STruong Nguyen awk '{print $2}'` 62eb1a3463STruong Nguyen 63eb1a3463STruong Nguyen echo "# $FMRI" >$ipf_file 647ddce999SHans Rosenfeld echo "# $FMRI" >$ipf6_file 65eb1a3463STruong Nguyen for port in $tports; do 667ddce999SHans Rosenfeld generate_rules $FMRI $policy "tcp" $port $ipf_file 677ddce999SHans Rosenfeld generate_rules $FMRI $policy "tcp" $port $ipf6_file _6 68eb1a3463STruong Nguyen done 69eb1a3463STruong Nguyen} 70eb1a3463STruong Nguyen 717c478bd9Sstevel@tonic-gate# This script is being used for two purposes: as part of an SMF 72*bbf21555SRichard Lowe# start/stop/refresh method, and as a sysidconfig(8)/sys-unconfig(8) 737c478bd9Sstevel@tonic-gate# application. 747c478bd9Sstevel@tonic-gate# 757c478bd9Sstevel@tonic-gate# Both, the SMF methods and sysidconfig/sys-unconfig use different 767c478bd9Sstevel@tonic-gate# arguments.. 777c478bd9Sstevel@tonic-gate 787c478bd9Sstevel@tonic-gatecase $1 in 797c478bd9Sstevel@tonic-gate # sysidconfig/sys-unconfig arguments (-c and -u) 807c478bd9Sstevel@tonic-gate'-c') 8175614fd9SAlexander Pyhalov /usr/bin/ssh-keygen -A 8275614fd9SAlexander Pyhalov if [ $? -ne 0 ]; then 837c478bd9Sstevel@tonic-gate create_key $SSHDIR/ssh_host_rsa_key rsa 847c478bd9Sstevel@tonic-gate create_key $SSHDIR/ssh_host_dsa_key dsa 8575614fd9SAlexander Pyhalov fi 867c478bd9Sstevel@tonic-gate ;; 877c478bd9Sstevel@tonic-gate 887c478bd9Sstevel@tonic-gate'-u') 89*bbf21555SRichard Lowe # sys-unconfig(8) knows how to remove ssh host keys, so there's 907c478bd9Sstevel@tonic-gate # nothing to do here. 917c478bd9Sstevel@tonic-gate : 927c478bd9Sstevel@tonic-gate ;; 937c478bd9Sstevel@tonic-gate 947c478bd9Sstevel@tonic-gate # SMF arguments (start and restart [really "refresh"]) 95eb1a3463STruong Nguyen 96eb1a3463STruong Nguyen'ipfilter') 97eb1a3463STruong Nguyen create_ipf_rules $2 98eb1a3463STruong Nguyen ;; 99eb1a3463STruong Nguyen 1007c478bd9Sstevel@tonic-gate'start') 101ead1f93eSLiane Praza # 102ead1f93eSLiane Praza # If host keys don't exist when the service is started, create 103ead1f93eSLiane Praza # them; sysidconfig is not run in every situation (such as on 104ead1f93eSLiane Praza # the install media). 105ead1f93eSLiane Praza # 10675614fd9SAlexander Pyhalov /usr/bin/ssh-keygen -A 10775614fd9SAlexander Pyhalov if [ $? -ne 0 ]; then 108ead1f93eSLiane Praza create_key $SSHDIR/ssh_host_rsa_key rsa 109ead1f93eSLiane Praza create_key $SSHDIR/ssh_host_dsa_key dsa 11075614fd9SAlexander Pyhalov fi 111ead1f93eSLiane Praza 1127c478bd9Sstevel@tonic-gate /usr/lib/ssh/sshd 1137c478bd9Sstevel@tonic-gate ;; 1147c478bd9Sstevel@tonic-gate 1157c478bd9Sstevel@tonic-gate'restart') 1167c478bd9Sstevel@tonic-gate if [ -f "$PIDFILE" ]; then 1177c478bd9Sstevel@tonic-gate /usr/bin/kill -HUP `/usr/bin/cat $PIDFILE` 1187c478bd9Sstevel@tonic-gate fi 1197c478bd9Sstevel@tonic-gate ;; 1207c478bd9Sstevel@tonic-gate 1217c478bd9Sstevel@tonic-gate*) 1227c478bd9Sstevel@tonic-gate echo "Usage: $0 { start | restart }" 1237c478bd9Sstevel@tonic-gate exit 1 1247c478bd9Sstevel@tonic-gate ;; 1257c478bd9Sstevel@tonic-gateesac 1267c478bd9Sstevel@tonic-gate 1277c478bd9Sstevel@tonic-gateexit $? 128