11.1Slukem#!/bin/sh
21.1Slukem#
31.37Skim# $NetBSD: sshd,v 1.37 2023/07/22 08:51:28 kim Exp $
41.5Sjwise#
51.1Slukem
61.6Slukem# PROVIDE: sshd
71.6Slukem# REQUIRE: LOGIN
81.1Slukem
91.20Smycroft$_rc_subr_loaded . /etc/rc.subr
101.1Slukem
111.1Slukemname="sshd"
121.8Slukemrcvar=$name
131.6Slukemcommand="/usr/sbin/${name}"
141.7Slukempidfile="/var/run/${name}.pid"
151.18Slukemrequired_files="/etc/ssh/sshd_config"
161.33Sriastradextra_commands="check keygen keyregen reload"
171.31Smartin
181.31Smartinsshd_motd_unsafe_keys_warning()
191.31Smartin{
201.31Smartin(
211.31Smartin	umask 022
221.31Smartin	T=/etc/_motd
231.31Smartin	sed -E '/^-- UNSAFE KEYS WARNING:/,$d' < /etc/motd > $T
241.31Smartin	if [ $( sysctl -n kern.entropy.needed ) -ne 0 ]; then
251.31Smartin		cat >> $T << _EOF
261.31Smartin-- UNSAFE KEYS WARNING:
271.31Smartin
281.31Smartin	The ssh host keys on this machine have been generated with
291.36Skim	not enough entropy configured, so they may be predictable.
301.31Smartin
311.31Smartin	To fix, follow the "Adding entropy" section in the entropy(7)
321.36Skim	man page.  After this machine has enough entropy, re-generate
331.31Smartin	the ssh host keys by running:
341.31Smartin
351.36Skim		/etc/rc.d/sshd keyregen
361.31Smartin_EOF
371.31Smartin	fi
381.31Smartin	cmp -s $T /etc/motd || cp $T /etc/motd
391.31Smartin	rm -f $T
401.31Smartin)
411.31Smartin}
421.3Sjwise
431.6Slukemsshd_keygen()
441.6Slukem{
451.23Schristos(
461.23Schristos	keygen="/usr/bin/ssh-keygen"
471.11Slukem	umask 022
481.32Smartin	new_key_created=false
491.30Schristos	while read type bits filename;  do
501.23Schristos		f="/etc/ssh/$filename"
511.31Smartin		if [ "$1" != "force" ] && [ -f "$f" ]; then
521.27Schristos			continue
531.23Schristos		fi
541.31Smartin		rm -f "$f"
551.27Schristos		case "${bits}" in
561.27Schristos		-1)	bitarg=;;
571.27Schristos		0)	bitarg="${ssh_keygen_flags}";;
581.27Schristos		*)	bitarg="-b ${bits}";;
591.27Schristos		esac
601.28Sjmcneill		"${keygen}" -t "${type}" ${bitarg} -f "${f}" -N '' -q && \
611.28Sjmcneill		    printf "ssh-keygen: " && "${keygen}" -f "${f}" -l
621.32Smartin		new_key_created=true
631.23Schristos	done << _EOF
641.35Sriastradecdsa	-1	ssh_host_ecdsa_key
651.30Schristosed25519	-1	ssh_host_ed25519_key
661.30Schristosrsa	0	ssh_host_rsa_key
671.23Schristos_EOF
681.32Smartin	if "${new_key_created}"; then
691.37Skim		sshd_motd_unsafe_keys_warning
701.32Smartin	fi
711.23Schristos)
721.3Sjwise}
731.3Sjwise
741.6Slukemsshd_precmd()
751.6Slukem{
761.27Schristos	run_rc_command keygen
771.3Sjwise}
781.3Sjwise
791.33Sriastradsshd_check()
801.33Sriastrad{
811.33Sriastrad	sshd -t
821.33Sriastrad}
831.33Sriastrad
841.33Sriastradsshd_reload_precmd()
851.33Sriastrad{
861.33Sriastrad	run_rc_command check
871.33Sriastrad}
881.33Sriastrad
891.33Sriastradcheck_cmd=sshd_check
901.3Sjwisekeygen_cmd=sshd_keygen
911.31Smartinkeyregen_cmd="sshd_keygen force"
921.33Sriastradreload_precmd=sshd_reload_precmd
931.5Sjwisestart_precmd=sshd_precmd
941.3Sjwise
951.3Sjwiseload_rc_config $name
961.3Sjwiserun_rc_command "$1"
97