xref: /onnv-gate/usr/src/cmd/ssh/etc/sshd (revision 11838:32bb5d254240) 
10Sstevel@tonic-gate#!/sbin/sh
20Sstevel@tonic-gate#
3*11838SLiane.Praza@Sun.COM# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
40Sstevel@tonic-gate# Use is subject to license terms.
50Sstevel@tonic-gate#
68823STruong.Q.Nguyen@Sun.COM
78823STruong.Q.Nguyen@Sun.COM. /lib/svc/share/ipf_include.sh
8*11838SLiane.Praza@Sun.COM. /lib/svc/share/smf_include.sh
90Sstevel@tonic-gate
100Sstevel@tonic-gateSSHDIR=/etc/ssh
110Sstevel@tonic-gateKEYGEN="/usr/bin/ssh-keygen -q"
120Sstevel@tonic-gatePIDFILE=/var/run/sshd.pid
130Sstevel@tonic-gate
140Sstevel@tonic-gate# Checks to see if RSA, and DSA host keys are available
150Sstevel@tonic-gate# if any of these keys are not present, the respective keys are created.
160Sstevel@tonic-gatecreate_key()
170Sstevel@tonic-gate{
180Sstevel@tonic-gate	keypath=$1
190Sstevel@tonic-gate	keytype=$2
200Sstevel@tonic-gate
210Sstevel@tonic-gate	if [ ! -f $keypath ]; then
22*11838SLiane.Praza@Sun.COM		#
23*11838SLiane.Praza@Sun.COM		# HostKey keywords in sshd_config may be preceded or
24*11838SLiane.Praza@Sun.COM		# followed by a mix of any number of space or tabs,
25*11838SLiane.Praza@Sun.COM		# and optionally have an = between keyword and
26*11838SLiane.Praza@Sun.COM		# argument.  We use two grep invocations such that we
27*11838SLiane.Praza@Sun.COM		# can match HostKey case insensitively but still have
28*11838SLiane.Praza@Sun.COM		# the case of the path name be significant, keeping
29*11838SLiane.Praza@Sun.COM		# the pattern somewhat more readable.
30*11838SLiane.Praza@Sun.COM		#
31*11838SLiane.Praza@Sun.COM		# The character classes below contain one literal
32*11838SLiane.Praza@Sun.COM		# space and one literal tab.
33*11838SLiane.Praza@Sun.COM		#
34*11838SLiane.Praza@Sun.COM		grep -i "^[ 	]*HostKey[ 	]*=\{0,1\}[ 	]*$keypath" \
35*11838SLiane.Praza@Sun.COM		    $SSHDIR/sshd_config | grep "$keypath" > /dev/null 2>&1
36*11838SLiane.Praza@Sun.COM
370Sstevel@tonic-gate		if [ $? -eq 0 ]; then
380Sstevel@tonic-gate			echo Creating new $keytype public/private host key pair
390Sstevel@tonic-gate			$KEYGEN -f $keypath -t $keytype -N ''
40*11838SLiane.Praza@Sun.COM			if [ $? -ne 0 ]; then
41*11838SLiane.Praza@Sun.COM				echo "Could not create $keytype key: $keypath"
42*11838SLiane.Praza@Sun.COM				exit $SMF_EXIT_ERR_CONFIG
43*11838SLiane.Praza@Sun.COM			fi
440Sstevel@tonic-gate		fi
450Sstevel@tonic-gate	fi
460Sstevel@tonic-gate}
470Sstevel@tonic-gate
488823STruong.Q.Nguyen@Sun.COMcreate_ipf_rules()
498823STruong.Q.Nguyen@Sun.COM{
508823STruong.Q.Nguyen@Sun.COM	FMRI=$1
518823STruong.Q.Nguyen@Sun.COM	ipf_file=`fmri_to_file ${FMRI} $IPF_SUFFIX`
528823STruong.Q.Nguyen@Sun.COM	policy=`get_policy ${FMRI}`
538823STruong.Q.Nguyen@Sun.COM
548823STruong.Q.Nguyen@Sun.COM	#
558823STruong.Q.Nguyen@Sun.COM	# Get port from /etc/ssh/sshd_config
568823STruong.Q.Nguyen@Sun.COM	#
578823STruong.Q.Nguyen@Sun.COM	tports=`grep "^Port" /etc/ssh/sshd_config 2>/dev/null | \
588823STruong.Q.Nguyen@Sun.COM	    awk '{print $2}'`
598823STruong.Q.Nguyen@Sun.COM
608823STruong.Q.Nguyen@Sun.COM	echo "# $FMRI" >$ipf_file
618823STruong.Q.Nguyen@Sun.COM	for port in $tports; do
628823STruong.Q.Nguyen@Sun.COM		generate_rules $FMRI $policy "tcp" "any" $port $ipf_file
638823STruong.Q.Nguyen@Sun.COM	done
648823STruong.Q.Nguyen@Sun.COM}
658823STruong.Q.Nguyen@Sun.COM
660Sstevel@tonic-gate# This script is being used for two purposes: as part of an SMF
670Sstevel@tonic-gate# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M)
680Sstevel@tonic-gate# application.
690Sstevel@tonic-gate#
700Sstevel@tonic-gate# Both, the SMF methods and sysidconfig/sys-unconfig use different
710Sstevel@tonic-gate# arguments..
720Sstevel@tonic-gate
730Sstevel@tonic-gatecase $1 in
740Sstevel@tonic-gate	# sysidconfig/sys-unconfig arguments (-c and -u)
750Sstevel@tonic-gate'-c')
760Sstevel@tonic-gate	create_key $SSHDIR/ssh_host_rsa_key rsa
770Sstevel@tonic-gate	create_key $SSHDIR/ssh_host_dsa_key dsa
780Sstevel@tonic-gate	;;
790Sstevel@tonic-gate
800Sstevel@tonic-gate'-u')
810Sstevel@tonic-gate	# sys-unconfig(1M) knows how to remove ssh host keys, so there's
820Sstevel@tonic-gate	# nothing to do here.
830Sstevel@tonic-gate	:
840Sstevel@tonic-gate	;;
850Sstevel@tonic-gate
860Sstevel@tonic-gate	# SMF arguments (start and restart [really "refresh"])
878823STruong.Q.Nguyen@Sun.COM
888823STruong.Q.Nguyen@Sun.COM'ipfilter')
898823STruong.Q.Nguyen@Sun.COM	create_ipf_rules $2
908823STruong.Q.Nguyen@Sun.COM	;;
918823STruong.Q.Nguyen@Sun.COM
920Sstevel@tonic-gate'start')
93*11838SLiane.Praza@Sun.COM	#
94*11838SLiane.Praza@Sun.COM	# If host keys don't exist when the service is started, create
95*11838SLiane.Praza@Sun.COM	# them; sysidconfig is not run in every situation (such as on
96*11838SLiane.Praza@Sun.COM	# the install media).
97*11838SLiane.Praza@Sun.COM	#
98*11838SLiane.Praza@Sun.COM	create_key $SSHDIR/ssh_host_rsa_key rsa
99*11838SLiane.Praza@Sun.COM	create_key $SSHDIR/ssh_host_dsa_key dsa
100*11838SLiane.Praza@Sun.COM
1010Sstevel@tonic-gate	/usr/lib/ssh/sshd
1020Sstevel@tonic-gate	;;
1030Sstevel@tonic-gate
1040Sstevel@tonic-gate'restart')
1050Sstevel@tonic-gate	if [ -f "$PIDFILE" ]; then
1060Sstevel@tonic-gate		/usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
1070Sstevel@tonic-gate	fi
1080Sstevel@tonic-gate	;;
1090Sstevel@tonic-gate
1100Sstevel@tonic-gate*)
1110Sstevel@tonic-gate	echo "Usage: $0 { start | restart }"
1120Sstevel@tonic-gate	exit 1
1130Sstevel@tonic-gate	;;
1140Sstevel@tonic-gateesac
1150Sstevel@tonic-gate
1160Sstevel@tonic-gateexit $?
117