sshd revision 1.32 
11.1Slukem#!/bin/sh
21.1Slukem#
31.32Smartin# $NetBSD: sshd,v 1.32 2022/05/15 11:47:42 martin Exp $
41.5Sjwise#
51.1Slukem
61.6Slukem# PROVIDE: sshd
71.6Slukem# REQUIRE: LOGIN
81.1Slukem
91.20Smycroft$_rc_subr_loaded . /etc/rc.subr
101.1Slukem
111.1Slukemname="sshd"
121.8Slukemrcvar=$name
131.6Slukemcommand="/usr/sbin/${name}"
141.7Slukempidfile="/var/run/${name}.pid"
151.18Slukemrequired_files="/etc/ssh/sshd_config"
161.31Smartinextra_commands="keygen keyregen reload"
171.31Smartin
181.31Smartinsshd_motd_unsafe_keys_warning()
191.31Smartin{
201.31Smartin(
211.31Smartin	umask 022
221.31Smartin	T=/etc/_motd
231.31Smartin	sed -E '/^-- UNSAFE KEYS WARNING:/,$d' < /etc/motd > $T
241.31Smartin	if [ $( sysctl -n kern.entropy.needed ) -ne 0 ]; then
251.31Smartin		cat >> $T << _EOF
261.31Smartin-- UNSAFE KEYS WARNING:
271.31Smartin
281.31Smartin	The ssh host keys on this machine have been generated with
291.31Smartin	not enough entropy configured, so may be predictable.
301.31Smartin
311.31Smartin	To fix, follow the "Adding entropy" section in the entropy(7)
321.31Smartin	man page and after this machine has enough entropy, re-generate
331.31Smartin	the ssh host keys by running:
341.31Smartin
351.31Smartin		sh /etc/rc.d/sshd keyregen
361.31Smartin_EOF
371.31Smartin	fi
381.31Smartin	cmp -s $T /etc/motd || cp $T /etc/motd
391.31Smartin	rm -f $T
401.31Smartin)
411.31Smartin}
421.3Sjwise
431.6Slukemsshd_keygen()
441.6Slukem{
451.23Schristos(
461.23Schristos	keygen="/usr/bin/ssh-keygen"
471.11Slukem	umask 022
481.32Smartin	new_key_created=false
491.30Schristos	while read type bits filename;  do
501.23Schristos		f="/etc/ssh/$filename"
511.31Smartin		if [ "$1" != "force" ] && [ -f "$f" ]; then
521.27Schristos			continue
531.23Schristos		fi
541.31Smartin		rm -f "$f"
551.27Schristos		case "${bits}" in
561.27Schristos		-1)	bitarg=;;
571.27Schristos		0)	bitarg="${ssh_keygen_flags}";;
581.27Schristos		*)	bitarg="-b ${bits}";;
591.27Schristos		esac
601.28Sjmcneill		"${keygen}" -t "${type}" ${bitarg} -f "${f}" -N '' -q && \
611.28Sjmcneill		    printf "ssh-keygen: " && "${keygen}" -f "${f}" -l
621.32Smartin		new_key_created=true
631.23Schristos	done << _EOF
641.30Schristosdsa	1024	ssh_host_dsa_key
651.30Schristosecdsa	521	ssh_host_ecdsa_key
661.30Schristosed25519	-1	ssh_host_ed25519_key
671.30Schristosrsa	0	ssh_host_rsa_key
681.23Schristos_EOF
691.32Smartin	if "${new_key_created}"; then
701.32Smartin		sshd_motd_unsafe_keys_warning
711.32Smartin	fi
721.23Schristos)
731.3Sjwise}
741.3Sjwise
751.6Slukemsshd_precmd()
761.6Slukem{
771.27Schristos	run_rc_command keygen
781.3Sjwise}
791.3Sjwise
801.3Sjwisekeygen_cmd=sshd_keygen
811.31Smartinkeyregen_cmd="sshd_keygen force"
821.5Sjwisestart_precmd=sshd_precmd
831.3Sjwise
841.3Sjwiseload_rc_config $name
851.3Sjwiserun_rc_command "$1"
86