#!/bin/sh
#
# $NetBSD: sshd,v 1.31 2021/09/26 10:53:20 martin Exp $
#

# PROVIDE: sshd
# REQUIRE: LOGIN

$_rc_subr_loaded . /etc/rc.subr

name="sshd"
rcvar=$name
command="/usr/sbin/${name}"
pidfile="/var/run/${name}.pid"
required_files="/etc/ssh/sshd_config"
extra_commands="keygen keyregen reload"

sshd_motd_unsafe_keys_warning()
{
(
	umask 022
	T=/etc/_motd
	sed -E '/^-- UNSAFE KEYS WARNING:/,$d' < /etc/motd > $T
	if [ $( sysctl -n kern.entropy.needed ) -ne 0 ]; then
		cat >> $T << _EOF
-- UNSAFE KEYS WARNING:

	The ssh host keys on this machine have been generated with
	not enough entropy configured, so may be predictable.

	To fix, follow the "Adding entropy" section in the entropy(7)
	man page and after this machine has enough entropy, re-generate
	the ssh host keys by running:

		sh /etc/rc.d/sshd keyregen
_EOF
	fi
	cmp -s $T /etc/motd || cp $T /etc/motd
	rm -f $T
)
}

sshd_keygen()
{
(
	keygen="/usr/bin/ssh-keygen"
	umask 022
	while read type bits filename;  do
		f="/etc/ssh/$filename"
		if [ "$1" != "force" ] && [ -f "$f" ]; then
			continue
		fi
		rm -f "$f"
		case "${bits}" in
		-1)	bitarg=;;
		0)	bitarg="${ssh_keygen_flags}";;
		*)	bitarg="-b ${bits}";;
		esac
		"${keygen}" -t "${type}" ${bitarg} -f "${f}" -N '' -q && \
		    printf "ssh-keygen: " && "${keygen}" -f "${f}" -l
	done << _EOF
dsa	1024	ssh_host_dsa_key
ecdsa	521	ssh_host_ecdsa_key
ed25519	-1	ssh_host_ed25519_key
rsa	0	ssh_host_rsa_key
_EOF
)
	sshd_motd_unsafe_keys_warning
}

sshd_precmd()
{
	run_rc_command keygen
}

keygen_cmd=sshd_keygen
keyregen_cmd="sshd_keygen force"
start_precmd=sshd_precmd

load_rc_config $name
run_rc_command "$1"