openssh/sshd-keygen

#!/bin/bash

# Create the host keys for the OpenSSH server.
#
# The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment
# variable.
AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"

# source function library
. /etc/rc.d/init.d/functions

# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
ED25519_KEY=/etc/ssh/ssh_host_ed25519_key

# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd

fips_enabled() {
	if [ -r /proc/sys/crypto/fips_enabled ]; then
		cat /proc/sys/crypto/fips_enabled
	else
		echo 0
	fi
}

do_rsa1_keygen() {
	if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then
		echo -n $"Generating SSH1 RSA host key: "
		rm -f $RSA1_KEY
		if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
			chgrp ssh_keys $RSA1_KEY
			chmod 640 $RSA1_KEY
			chmod 644 $RSA1_KEY.pub
			if [ -x /sbin/restorecon ]; then
			    /sbin/restorecon $RSA1_KEY{,.pub}
			fi
			success $"RSA1 key generation"
			echo
		else
			failure $"RSA1 key generation"
			echo
			exit 1
		fi
	fi
}

do_rsa_keygen() {
	if [ ! -s $RSA_KEY ]; then
		echo -n $"Generating SSH2 RSA host key: "
		rm -f $RSA_KEY
		if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
			chgrp ssh_keys $RSA_KEY
			chmod 640 $RSA_KEY
			chmod 644 $RSA_KEY.pub
			if [ -x /sbin/restorecon ]; then
			    /sbin/restorecon $RSA_KEY{,.pub}
			fi
			success $"RSA key generation"
			echo
		else
			failure $"RSA key generation"
			echo
			exit 1
		fi
	fi
}

do_dsa_keygen() {
	if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then
		echo -n $"Generating SSH2 DSA host key: "
		rm -f $DSA_KEY
		if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
			chgrp ssh_keys $DSA_KEY
			chmod 640 $DSA_KEY
			chmod 644 $DSA_KEY.pub
			if [ -x /sbin/restorecon ]; then
			    /sbin/restorecon $DSA_KEY{,.pub}
			fi
			success $"DSA key generation"
			echo
		else
			failure $"DSA key generation"
			echo
			exit 1
		fi
	fi
}

do_ecdsa_keygen() {
	if [ ! -s $ECDSA_KEY ]; then
		echo -n $"Generating SSH2 ECDSA host key: "
		rm -f $ECDSA_KEY
		if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
			chgrp ssh_keys $ECDSA_KEY
			chmod 640 $ECDSA_KEY
			chmod 644 $ECDSA_KEY.pub
			if [ -x /sbin/restorecon ]; then
			    /sbin/restorecon $ECDSA_KEY{,.pub}
			fi
			success $"ECDSA key generation"
			echo
		else
			failure $"ECDSA key generation"
			echo
			exit 1
		fi
	fi
}

do_ed25519_keygen() {
	if [ ! -s $ED25519_KEY -a `fips_enabled` -eq 0 ]; then
		echo -n $"Generating SSH2 ED25519 host key: "
		rm -f $ED25519_KEY
		if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
			chgrp ssh_keys $ED25519_KEY
			chmod 640 $ED25519_KEY
			chmod 644 $ED25519_KEY.pub
			if [ -x /sbin/restorecon ]; then
			    /sbin/restorecon $ED25519_KEY{,.pub}
			fi
			success $"ED25519 key generation"
			echo
		else
			failure $"ED25519 key generation"
			echo
			exit 1
		fi
	fi
}

if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then
	exit 0
fi

# legacy options
case $AUTOCREATE_SERVER_KEYS in
	NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;
	RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";;
	YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";;
esac

for KEY in $AUTOCREATE_SERVER_KEYS; do
	case $KEY in
		DSA) do_dsa_keygen;;
		RSA) do_rsa_keygen;;
		ECDSA) do_ecdsa_keygen;;
		ED25519) do_ed25519_keygen;;
	esac
done
Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org> Split out the host keygen into their own command, to ease future migration to systemd. Compatitbility with the init script was kept. Migrate the package to full native systemd unit files, according to the Fedora packaging guidelines. Prepate the unit files for running an ondemand server. (do not add it actually) 2011-06-28 10:01:11 +00:00			`#!/bin/bash`

			`# Create the host keys for the OpenSSH server.`
			`#`
			`# The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment`
			`# variable.`
add support for ED25519 keys to sshd-keygen and sshd.sysconfig 2014-04-09 11:37:47 +00:00			`AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"`
Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org> Split out the host keygen into their own command, to ease future migration to systemd. Compatitbility with the init script was kept. Migrate the package to full native systemd unit files, according to the Fedora packaging guidelines. Prepate the unit files for running an ondemand server. (do not add it actually) 2011-06-28 10:01:11 +00:00
			`# source function library`
			`. /etc/rc.d/init.d/functions`

			`# Some functions to make the below more readable`
			`KEYGEN=/usr/bin/ssh-keygen`
			`RSA1_KEY=/etc/ssh/ssh_host_key`
			`RSA_KEY=/etc/ssh/ssh_host_rsa_key`
			`DSA_KEY=/etc/ssh/ssh_host_dsa_key`
sshd-keygen to generate ECDSA keys <i.grok@comcast.net> (#1019222) 2013-10-23 20:51:32 +00:00			`ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key`
add support for ED25519 keys to sshd-keygen and sshd.sysconfig 2014-04-09 11:37:47 +00:00			`ED25519_KEY=/etc/ssh/ssh_host_ed25519_key`
Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org> Split out the host keygen into their own command, to ease future migration to systemd. Compatitbility with the init script was kept. Migrate the package to full native systemd unit files, according to the Fedora packaging guidelines. Prepate the unit files for running an ondemand server. (do not add it actually) 2011-06-28 10:01:11 +00:00
allow specification of alternate host key location(s) via /etc/sysconfig/sshd <john_florian@dart.biz> (#865803) 2013-03-26 14:41:49 +00:00			`# pull in sysconfig settings`
			`[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd`

don't create RSA1 key in FIPS mode 2012-04-06 19:00:10 +00:00			`fips_enabled() {`
			`if [ -r /proc/sys/crypto/fips_enabled ]; then`
			`cat /proc/sys/crypto/fips_enabled`
			`else`
			`echo 0`
			`fi`
			`}`

Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org> Split out the host keygen into their own command, to ease future migration to systemd. Compatitbility with the init script was kept. Migrate the package to full native systemd unit files, according to the Fedora packaging guidelines. Prepate the unit files for running an ondemand server. (do not add it actually) 2011-06-28 10:01:11 +00:00			`do_rsa1_keygen() {`
don't create RSA1 key in FIPS mode 2012-04-06 19:00:10 +00:00			if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then
Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org> Split out the host keygen into their own command, to ease future migration to systemd. Compatitbility with the init script was kept. Migrate the package to full native systemd unit files, according to the Fedora packaging guidelines. Prepate the unit files for running an ondemand server. (do not add it actually) 2011-06-28 10:01:11 +00:00			`echo -n $"Generating SSH1 RSA host key: "`
			`rm -f $RSA1_KEY`
			`if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then`
			`chgrp ssh_keys $RSA1_KEY`
Revert "Fix permissions of sshd private keys created by sshd-keygen script (#754779)" (#819896) This reverts commit 81da99ed9bb19f029edfb92f6a8839886777db49. 2012-05-09 10:52:01 +00:00			`chmod 640 $RSA1_KEY`
Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org> Split out the host keygen into their own command, to ease future migration to systemd. Compatitbility with the init script was kept. Migrate the package to full native systemd unit files, according to the Fedora packaging guidelines. Prepate the unit files for running an ondemand server. (do not add it actually) 2011-06-28 10:01:11 +00:00			`chmod 644 $RSA1_KEY.pub`
			`if [ -x /sbin/restorecon ]; then`
add support for ED25519 keys to sshd-keygen and sshd.sysconfig 2014-04-09 11:37:47 +00:00			`/sbin/restorecon $RSA1_KEY{,.pub}`
Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org> Split out the host keygen into their own command, to ease future migration to systemd. Compatitbility with the init script was kept. Migrate the package to full native systemd unit files, according to the Fedora packaging guidelines. Prepate the unit files for running an ondemand server. (do not add it actually) 2011-06-28 10:01:11 +00:00			`fi`
			`success $"RSA1 key generation"`
			`echo`
			`else`
			`failure $"RSA1 key generation"`
			`echo`
			`exit 1`
			`fi`
			`fi`
			`}`

			`do_rsa_keygen() {`
			`if [ ! -s $RSA_KEY ]; then`
			`echo -n $"Generating SSH2 RSA host key: "`
			`rm -f $RSA_KEY`
			`if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then`
			`chgrp ssh_keys $RSA_KEY`
Revert "Fix permissions of sshd private keys created by sshd-keygen script (#754779)" (#819896) This reverts commit 81da99ed9bb19f029edfb92f6a8839886777db49. 2012-05-09 10:52:01 +00:00			`chmod 640 $RSA_KEY`
Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org> Split out the host keygen into their own command, to ease future migration to systemd. Compatitbility with the init script was kept. Migrate the package to full native systemd unit files, according to the Fedora packaging guidelines. Prepate the unit files for running an ondemand server. (do not add it actually) 2011-06-28 10:01:11 +00:00			`chmod 644 $RSA_KEY.pub`
			`if [ -x /sbin/restorecon ]; then`
add support for ED25519 keys to sshd-keygen and sshd.sysconfig 2014-04-09 11:37:47 +00:00			`/sbin/restorecon $RSA_KEY{,.pub}`
Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org> Split out the host keygen into their own command, to ease future migration to systemd. Compatitbility with the init script was kept. Migrate the package to full native systemd unit files, according to the Fedora packaging guidelines. Prepate the unit files for running an ondemand server. (do not add it actually) 2011-06-28 10:01:11 +00:00			`fi`
			`success $"RSA key generation"`
			`echo`
			`else`
			`failure $"RSA key generation"`
			`echo`
			`exit 1`
			`fi`
			`fi`
			`}`

			`do_dsa_keygen() {`
sshd-keygen - don't generate DSA and ED25519 host keys in FIPS mode 2014-09-23 08:59:03 +00:00			if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then
Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org> Split out the host keygen into their own command, to ease future migration to systemd. Compatitbility with the init script was kept. Migrate the package to full native systemd unit files, according to the Fedora packaging guidelines. Prepate the unit files for running an ondemand server. (do not add it actually) 2011-06-28 10:01:11 +00:00			`echo -n $"Generating SSH2 DSA host key: "`
			`rm -f $DSA_KEY`
			`if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then`
			`chgrp ssh_keys $DSA_KEY`
Revert "Fix permissions of sshd private keys created by sshd-keygen script (#754779)" (#819896) This reverts commit 81da99ed9bb19f029edfb92f6a8839886777db49. 2012-05-09 10:52:01 +00:00			`chmod 640 $DSA_KEY`
Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org> Split out the host keygen into their own command, to ease future migration to systemd. Compatitbility with the init script was kept. Migrate the package to full native systemd unit files, according to the Fedora packaging guidelines. Prepate the unit files for running an ondemand server. (do not add it actually) 2011-06-28 10:01:11 +00:00			`chmod 644 $DSA_KEY.pub`
			`if [ -x /sbin/restorecon ]; then`
add support for ED25519 keys to sshd-keygen and sshd.sysconfig 2014-04-09 11:37:47 +00:00			`/sbin/restorecon $DSA_KEY{,.pub}`
Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org> Split out the host keygen into their own command, to ease future migration to systemd. Compatitbility with the init script was kept. Migrate the package to full native systemd unit files, according to the Fedora packaging guidelines. Prepate the unit files for running an ondemand server. (do not add it actually) 2011-06-28 10:01:11 +00:00			`fi`
			`success $"DSA key generation"`
			`echo`
			`else`
			`failure $"DSA key generation"`
			`echo`
			`exit 1`
			`fi`
			`fi`
			`}`

sshd-keygen to generate ECDSA keys <i.grok@comcast.net> (#1019222) 2013-10-23 20:51:32 +00:00			`do_ecdsa_keygen() {`
			`if [ ! -s $ECDSA_KEY ]; then`
			`echo -n $"Generating SSH2 ECDSA host key: "`
			`rm -f $ECDSA_KEY`
			`if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then`
			`chgrp ssh_keys $ECDSA_KEY`
sshd-keygen - create an ecdsa host key with 640 permissions (#1023945) 2013-12-09 10:14:59 +00:00			`chmod 640 $ECDSA_KEY`
sshd-keygen to generate ECDSA keys <i.grok@comcast.net> (#1019222) 2013-10-23 20:51:32 +00:00			`chmod 644 $ECDSA_KEY.pub`
			`if [ -x /sbin/restorecon ]; then`
add support for ED25519 keys to sshd-keygen and sshd.sysconfig 2014-04-09 11:37:47 +00:00			`/sbin/restorecon $ECDSA_KEY{,.pub}`
sshd-keygen to generate ECDSA keys <i.grok@comcast.net> (#1019222) 2013-10-23 20:51:32 +00:00			`fi`
			`success $"ECDSA key generation"`
			`echo`
			`else`
			`failure $"ECDSA key generation"`
			`echo`
			`exit 1`
			`fi`
			`fi`
			`}`

add support for ED25519 keys to sshd-keygen and sshd.sysconfig 2014-04-09 11:37:47 +00:00			`do_ed25519_keygen() {`
sshd-keygen - don't generate DSA and ED25519 host keys in FIPS mode 2014-09-23 08:59:03 +00:00			if [ ! -s $ED25519_KEY -a `fips_enabled` -eq 0 ]; then
add support for ED25519 keys to sshd-keygen and sshd.sysconfig 2014-04-09 11:37:47 +00:00			`echo -n $"Generating SSH2 ED25519 host key: "`
			`rm -f $ED25519_KEY`
			`if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then`
			`chgrp ssh_keys $ED25519_KEY`
			`chmod 640 $ED25519_KEY`
			`chmod 644 $ED25519_KEY.pub`
			`if [ -x /sbin/restorecon ]; then`
			`/sbin/restorecon $ED25519_KEY{,.pub}`
			`fi`
			`success $"ED25519 key generation"`
			`echo`
			`else`
			`failure $"ED25519 key generation"`
			`echo`
			`exit 1`
use only rsa and ecdsa host keys by default 2013-12-09 16:30:18 +00:00			`fi`
Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org> Split out the host keygen into their own command, to ease future migration to systemd. Compatitbility with the init script was kept. Migrate the package to full native systemd unit files, according to the Fedora packaging guidelines. Prepate the unit files for running an ondemand server. (do not add it actually) 2011-06-28 10:01:11 +00:00			`fi`
add support for ED25519 keys to sshd-keygen and sshd.sysconfig 2014-04-09 11:37:47 +00:00			`}`

			`if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then`
			`exit 0`
Systemd compatibility according to Mathieu Bridon <bochecha@fedoraproject.org> Split out the host keygen into their own command, to ease future migration to systemd. Compatitbility with the init script was kept. Migrate the package to full native systemd unit files, according to the Fedora packaging guidelines. Prepate the unit files for running an ondemand server. (do not add it actually) 2011-06-28 10:01:11 +00:00			`fi`
add support for ED25519 keys to sshd-keygen and sshd.sysconfig 2014-04-09 11:37:47 +00:00
			`# legacy options`
			`case $AUTOCREATE_SERVER_KEYS in`
			`NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;`
			`RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";;`
			`YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";;`
			`esac`

			`for KEY in $AUTOCREATE_SERVER_KEYS; do`
			`case $KEY in`
			`DSA) do_dsa_keygen;;`
			`RSA) do_rsa_keygen;;`
			`ECDSA) do_ecdsa_keygen;;`
			`ED25519) do_ed25519_keygen;;`
			`esac`
			`done`