xref: /illumos-gate/usr/src/cmd/ssh/etc/sshd (revision b5358705b92a175b02aad08cd1c6b83dc69e2ae6)
1#!/sbin/sh
2#
3# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
4# Use is subject to license terms.
5#
6# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
7#
8
9. /lib/svc/share/ipf_include.sh
10. /lib/svc/share/smf_include.sh
11
12SSHDIR=/etc/ssh
13KEYGEN="/usr/bin/ssh-keygen -q"
14PIDFILE=/var/run/sshd.pid
15
16# Checks to see if RSA, and DSA host keys are available
17# if any of these keys are not present, the respective keys are created.
18create_key()
19{
20	keypath=$1
21	keytype=$2
22
23	if [ ! -f $keypath ]; then
24		#
25		# HostKey keywords in sshd_config may be preceded or
26		# followed by a mix of any number of space or tabs,
27		# and optionally have an = between keyword and
28		# argument.  We use two grep invocations such that we
29		# can match HostKey case insensitively but still have
30		# the case of the path name be significant, keeping
31		# the pattern somewhat more readable.
32		#
33		# The character classes below contain one literal
34		# space and one literal tab.
35		#
36		grep -i "^[ 	]*HostKey[ 	]*=\{0,1\}[ 	]*$keypath" \
37		    $SSHDIR/sshd_config | grep "$keypath" > /dev/null 2>&1
38
39		if [ $? -eq 0 ]; then
40			echo Creating new $keytype public/private host key pair
41			$KEYGEN -f $keypath -t $keytype -N ''
42			if [ $? -ne 0 ]; then
43				echo "Could not create $keytype key: $keypath"
44				exit $SMF_EXIT_ERR_CONFIG
45			fi
46		fi
47	fi
48}
49
50create_ipf_rules()
51{
52	FMRI=$1
53	ipf_file=`fmri_to_file ${FMRI} $IPF_SUFFIX`
54	ipf6_file=`fmri_to_file ${FMRI} $IPF6_SUFFIX`
55	policy=`get_policy ${FMRI}`
56
57	#
58	# Get port from /etc/ssh/sshd_config
59	#
60	tports=`grep "^Port" /etc/ssh/sshd_config 2>/dev/null | \
61	    awk '{print $2}'`
62
63	echo "# $FMRI" >$ipf_file
64	echo "# $FMRI" >$ipf6_file
65	for port in $tports; do
66		generate_rules $FMRI $policy "tcp" $port $ipf_file
67		generate_rules $FMRI $policy "tcp" $port $ipf6_file _6
68	done
69}
70
71# This script is being used for two purposes: as part of an SMF
72# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M)
73# application.
74#
75# Both, the SMF methods and sysidconfig/sys-unconfig use different
76# arguments..
77
78case $1 in
79	# sysidconfig/sys-unconfig arguments (-c and -u)
80'-c')
81	/usr/bin/ssh-keygen -A
82	if [ $? -ne 0 ]; then
83		create_key $SSHDIR/ssh_host_rsa_key rsa
84		create_key $SSHDIR/ssh_host_dsa_key dsa
85	fi
86	;;
87
88'-u')
89	# sys-unconfig(1M) knows how to remove ssh host keys, so there's
90	# nothing to do here.
91	:
92	;;
93
94	# SMF arguments (start and restart [really "refresh"])
95
96'ipfilter')
97	create_ipf_rules $2
98	;;
99
100'start')
101	#
102	# If host keys don't exist when the service is started, create
103	# them; sysidconfig is not run in every situation (such as on
104	# the install media).
105	#
106	/usr/bin/ssh-keygen -A
107	if [ $? -ne 0 ]; then
108		create_key $SSHDIR/ssh_host_rsa_key rsa
109		create_key $SSHDIR/ssh_host_dsa_key dsa
110	fi
111
112	/usr/lib/ssh/sshd
113	;;
114
115'restart')
116	if [ -f "$PIDFILE" ]; then
117		/usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
118	fi
119	;;
120
121*)
122	echo "Usage: $0 { start | restart }"
123	exit 1
124	;;
125esac
126
127exit $?
128