xref: /illumos-gate/usr/src/cmd/ssh/etc/sshd (revision 8c6ffd5964f28b15919c0a4ad3d120f84cedbc3d)
1#!/sbin/sh
2#
3# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
4# Use is subject to license terms.
5#
6
7. /lib/svc/share/ipf_include.sh
8. /lib/svc/share/smf_include.sh
9
10SSHDIR=/etc/ssh
11KEYGEN="/usr/bin/ssh-keygen -q"
12PIDFILE=/var/run/sshd.pid
13
14# Checks to see if RSA, and DSA host keys are available
15# if any of these keys are not present, the respective keys are created.
16create_key()
17{
18	keypath=$1
19	keytype=$2
20
21	if [ ! -f $keypath ]; then
22		#
23		# HostKey keywords in sshd_config may be preceded or
24		# followed by a mix of any number of space or tabs,
25		# and optionally have an = between keyword and
26		# argument.  We use two grep invocations such that we
27		# can match HostKey case insensitively but still have
28		# the case of the path name be significant, keeping
29		# the pattern somewhat more readable.
30		#
31		# The character classes below contain one literal
32		# space and one literal tab.
33		#
34		grep -i "^[ 	]*HostKey[ 	]*=\{0,1\}[ 	]*$keypath" \
35		    $SSHDIR/sshd_config | grep "$keypath" > /dev/null 2>&1
36
37		if [ $? -eq 0 ]; then
38			echo Creating new $keytype public/private host key pair
39			$KEYGEN -f $keypath -t $keytype -N ''
40			if [ $? -ne 0 ]; then
41				echo "Could not create $keytype key: $keypath"
42				exit $SMF_EXIT_ERR_CONFIG
43			fi
44		fi
45	fi
46}
47
48create_ipf_rules()
49{
50	FMRI=$1
51	ipf_file=`fmri_to_file ${FMRI} $IPF_SUFFIX`
52	policy=`get_policy ${FMRI}`
53
54	#
55	# Get port from /etc/ssh/sshd_config
56	#
57	tports=`grep "^Port" /etc/ssh/sshd_config 2>/dev/null | \
58	    awk '{print $2}'`
59
60	echo "# $FMRI" >$ipf_file
61	for port in $tports; do
62		generate_rules $FMRI $policy "tcp" "any" $port $ipf_file
63	done
64}
65
66# This script is being used for two purposes: as part of an SMF
67# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M)
68# application.
69#
70# Both, the SMF methods and sysidconfig/sys-unconfig use different
71# arguments..
72
73case $1 in
74	# sysidconfig/sys-unconfig arguments (-c and -u)
75'-c')
76	/usr/bin/ssh-keygen -A
77	if [ $? -ne 0 ]; then
78		create_key $SSHDIR/ssh_host_rsa_key rsa
79		create_key $SSHDIR/ssh_host_dsa_key dsa
80	fi
81	;;
82
83'-u')
84	# sys-unconfig(1M) knows how to remove ssh host keys, so there's
85	# nothing to do here.
86	:
87	;;
88
89	# SMF arguments (start and restart [really "refresh"])
90
91'ipfilter')
92	create_ipf_rules $2
93	;;
94
95'start')
96	#
97	# If host keys don't exist when the service is started, create
98	# them; sysidconfig is not run in every situation (such as on
99	# the install media).
100	#
101	/usr/bin/ssh-keygen -A
102	if [ $? -ne 0 ]; then
103		create_key $SSHDIR/ssh_host_rsa_key rsa
104		create_key $SSHDIR/ssh_host_dsa_key dsa
105	fi
106
107	/usr/lib/ssh/sshd
108	;;
109
110'restart')
111	if [ -f "$PIDFILE" ]; then
112		/usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
113	fi
114	;;
115
116*)
117	echo "Usage: $0 { start | restart }"
118	exit 1
119	;;
120esac
121
122exit $?
123