etc/rc.d/sshd

78344Sobrien#!/bin/sh
78344Sobrien#
98184Sgordon# $FreeBSD: stable/9/etc/rc.d/sshd 247461 2013-02-28 12:03:17Z des $
78344Sobrien#
78344Sobrien
78344Sobrien# PROVIDE: sshd
242153Sobrien# REQUIRE: LOGIN FILESYSTEMS
180564Sdougb# KEYWORD: shutdown
78344Sobrien
78344Sobrien. /etc/rc.subr
78344Sobrien
78344Sobrienname="sshd"
231653Sdougbrcvar="sshd_enable"
151586Syarcommand="/usr/sbin/${name}"
98184Sgordonkeygen_cmd="sshd_keygen"
98184Sgordonstart_precmd="sshd_precmd"
247461Sdesconfigtest_cmd="sshd_configtest"
78344Sobrienpidfile="/var/run/${name}.pid"
247461Sdesextra_commands="configtest keygen reload"
78344Sobrien
133110Smarkmtimeout=300
133110Smarkm
133110Smarkmuser_reseed()
133110Smarkm{
133110Smarkm	(
133110Smarkm	seeded=`sysctl -n kern.random.sys.seeded 2>/dev/null`
157655Sflz	if [ "x${seeded}" != "x" ] && [ ${seeded} -eq 0 ] ; then
133110Smarkm		warn "Setting entropy source to blocking mode."
133110Smarkm		echo "===================================================="
133110Smarkm		echo "Type a full screenful of random junk to unblock"
133110Smarkm		echo "it and remember to finish with <enter>. This will"
133110Smarkm		echo "timeout in ${timeout} seconds, but waiting for"
133110Smarkm		echo "the timeout without typing junk may make the"
133110Smarkm		echo "entropy source deliver predictable output."
133110Smarkm		echo ""
133110Smarkm		echo "Just hit <enter> for fast+insecure startup."
133110Smarkm		echo "===================================================="
133110Smarkm		sysctl kern.random.sys.seeded=0 2>/dev/null
133110Smarkm		read -t ${timeout} junk
133110Smarkm		echo "${junk}" `sysctl -a` `date` > /dev/random
133110Smarkm	fi
133110Smarkm	)
133110Smarkm}
133110Smarkm
78344Sobriensshd_keygen()
78344Sobrien{
98184Sgordon	(
98184Sgordon	umask 022
98184Sgordon
98184Sgordon	# Can't do anything if ssh is not installed
161530Sflz	[ -x /usr/bin/ssh-keygen ] || {
161530Sflz		warn "/usr/bin/ssh-keygen does not exist."
98184Sgordon		return 1
98184Sgordon	}
98184Sgordon
161530Sflz	if [ -f /etc/ssh/ssh_host_key ]; then
98184Sgordon		echo "You already have an RSA host key" \
161530Sflz		    "in /etc/ssh/ssh_host_key"
98184Sgordon		echo "Skipping protocol version 1 RSA Key Generation"
78344Sobrien	else
161530Sflz		/usr/bin/ssh-keygen -t rsa1 -b 1024 \
161530Sflz		    -f /etc/ssh/ssh_host_key -N ''
78344Sobrien	fi
78344Sobrien
161530Sflz	if [ -f /etc/ssh/ssh_host_dsa_key ]; then
98184Sgordon		echo "You already have a DSA host key" \
161530Sflz		    "in /etc/ssh/ssh_host_dsa_key"
98184Sgordon		echo "Skipping protocol version 2 DSA Key Generation"
78344Sobrien	else
161530Sflz		/usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
78344Sobrien	fi
98184Sgordon
161530Sflz	if [ -f /etc/ssh/ssh_host_rsa_key ]; then
221420Sdes		echo "You already have an RSA host key" \
161530Sflz		    "in /etc/ssh/ssh_host_rsa_key"
98184Sgordon		echo "Skipping protocol version 2 RSA Key Generation"
98184Sgordon	else
161530Sflz		/usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
98184Sgordon	fi
221420Sdes
221420Sdes	if [ -f /etc/ssh/ssh_host_ecdsa_key ]; then
221420Sdes		echo "You already have an ECDSA host key" \
221420Sdes		    "in /etc/ssh/ssh_host_ecdsa_key"
221420Sdes		echo "Skipping protocol version 2 ECDSA Key Generation"
221420Sdes	else
221420Sdes		/usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
221420Sdes	fi
98184Sgordon	)
78344Sobrien}
78344Sobrien
247461Sdessshd_configtest()
247461Sdes{
247461Sdes	echo "Performing sanity check on ${name} configuration."
247461Sdes	eval ${command} ${sshd_flags} -t
247461Sdes}
247461Sdes
78344Sobriensshd_precmd()
78344Sobrien{
161530Sflz	if [ ! -f /etc/ssh/ssh_host_key -o \
161530Sflz	    ! -f /etc/ssh/ssh_host_dsa_key -o \
221420Sdes	    ! -f /etc/ssh/ssh_host_ecdsa_key -o \
161530Sflz	    ! -f /etc/ssh/ssh_host_rsa_key ]; then
133110Smarkm		user_reseed
98184Sgordon		run_rc_command keygen
78344Sobrien	fi
247461Sdes	sshd_configtest
78344Sobrien}
78344Sobrien
161530Sflzload_rc_config $name
78344Sobrienrun_rc_command "$1"