xref: /netbsd-src/etc/rc.d/sshd (revision 4f645668ed707e1f969c546666f8c8e45e6f8888) 
1#!/bin/sh
2#
3# $NetBSD: sshd,v 1.32 2022/05/15 11:47:42 martin Exp $
4#
5
6# PROVIDE: sshd
7# REQUIRE: LOGIN
8
9$_rc_subr_loaded . /etc/rc.subr
10
11name="sshd"
12rcvar=$name
13command="/usr/sbin/${name}"
14pidfile="/var/run/${name}.pid"
15required_files="/etc/ssh/sshd_config"
16extra_commands="keygen keyregen reload"
17
18sshd_motd_unsafe_keys_warning()
19{
20(
21	umask 022
22	T=/etc/_motd
23	sed -E '/^-- UNSAFE KEYS WARNING:/,$d' < /etc/motd > $T
24	if [ $( sysctl -n kern.entropy.needed ) -ne 0 ]; then
25		cat >> $T << _EOF
26-- UNSAFE KEYS WARNING:
27
28	The ssh host keys on this machine have been generated with
29	not enough entropy configured, so may be predictable.
30
31	To fix, follow the "Adding entropy" section in the entropy(7)
32	man page and after this machine has enough entropy, re-generate
33	the ssh host keys by running:
34
35		sh /etc/rc.d/sshd keyregen
36_EOF
37	fi
38	cmp -s $T /etc/motd || cp $T /etc/motd
39	rm -f $T
40)
41}
42
43sshd_keygen()
44{
45(
46	keygen="/usr/bin/ssh-keygen"
47	umask 022
48	new_key_created=false
49	while read type bits filename;  do
50		f="/etc/ssh/$filename"
51		if [ "$1" != "force" ] && [ -f "$f" ]; then
52			continue
53		fi
54		rm -f "$f"
55		case "${bits}" in
56		-1)	bitarg=;;
57		0)	bitarg="${ssh_keygen_flags}";;
58		*)	bitarg="-b ${bits}";;
59		esac
60		"${keygen}" -t "${type}" ${bitarg} -f "${f}" -N '' -q && \
61		    printf "ssh-keygen: " && "${keygen}" -f "${f}" -l
62		new_key_created=true
63	done << _EOF
64dsa	1024	ssh_host_dsa_key
65ecdsa	521	ssh_host_ecdsa_key
66ed25519	-1	ssh_host_ed25519_key
67rsa	0	ssh_host_rsa_key
68_EOF
69	if "${new_key_created}"; then
70		sshd_motd_unsafe_keys_warning
71	fi
72)
73}
74
75sshd_precmd()
76{
77	run_rc_command keygen
78}
79
80keygen_cmd=sshd_keygen
81keyregen_cmd="sshd_keygen force"
82start_precmd=sshd_precmd
83
84load_rc_config $name
85run_rc_command "$1"
86