HardenedBSD/libexec/rc/rc.d/sshd
Mateusz Piotrowski 3e58608634 sshd: Warn about missing ssh-keygen only when necessary
The sshd service is using ssh-keygen to generate missing SSH keys.
If ssh-keygen is missing, it prints the following message:

> /etc/rc.d/sshd: WARNING: /usr/bin/ssh-keygen does not exist.

It makes sense when the key is not generated yet and
cannot be created because ssh-keygen is missing.

The problem is that even if the key is present on the host,
the sshd service would still warn about missing ssh-keygen
(even though it does not need it).

Reviewed by:	emaste
Approved by:	emaste (src)
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D23911
2020-04-15 14:07:33 +00:00

85 lines
1.4 KiB
Bash
Executable File

#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: sshd
# REQUIRE: LOGIN FILESYSTEMS
# KEYWORD: shutdown
. /etc/rc.subr
name="sshd"
desc="Secure Shell Daemon"
rcvar="sshd_enable"
command="/usr/sbin/${name}"
keygen_cmd="sshd_keygen"
start_precmd="sshd_precmd"
reload_precmd="sshd_configtest"
restart_precmd="sshd_configtest"
configtest_cmd="sshd_configtest"
pidfile="/var/run/${name}.pid"
extra_commands="configtest keygen reload"
: ${sshd_rsa_enable:="yes"}
: ${sshd_dsa_enable:="no"}
: ${sshd_ecdsa_enable:="yes"}
: ${sshd_ed25519_enable:="yes"}
sshd_keygen_alg()
{
local alg=$1
local ALG="$(echo $alg | tr a-z A-Z)"
local keyfile
if ! checkyesno "sshd_${alg}_enable" ; then
return 0
fi
case $alg in
rsa|dsa|ecdsa|ed25519)
keyfile="/etc/ssh/ssh_host_${alg}_key"
;;
*)
return 1
;;
esac
if [ -f "${keyfile}" ] ; then
info "$ALG host key exists."
return 0
fi
if [ ! -x /usr/bin/ssh-keygen ] ; then
warn "/usr/bin/ssh-keygen does not exist."
return 1
fi
echo "Generating $ALG host key."
/usr/bin/ssh-keygen -q -t $alg -f "$keyfile" -N ""
/usr/bin/ssh-keygen -l -f "$keyfile.pub"
}
sshd_keygen()
{
sshd_keygen_alg rsa
sshd_keygen_alg dsa
sshd_keygen_alg ecdsa
sshd_keygen_alg ed25519
}
sshd_configtest()
{
echo "Performing sanity check on ${name} configuration."
eval ${command} ${sshd_flags} -t
}
sshd_precmd()
{
run_rc_command keygen
run_rc_command configtest
}
load_rc_config $name
run_rc_command "$1"