openssh/sources/sshd.sh

#!/usr/sbin/sh
#
# Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
#

. /lib/svc/share/smf_include.sh

SSHDIR=/etc/ssh
KEYGEN="/usr/bin/ssh-keygen -q"
PIDFILE=$SMF_SYSVOL_FS/sshd.pid

# Checks to see if RSA, and DSA host keys are available
# if any of these keys are not present, the respective keys are created.
create_key()
{
    keypath=$1
    keytype=$2

    if [ ! -f $keypath ]; then
        #
        # HostKey keywords in sshd_config may be preceded or
        # followed by a mix of any number of space or tabs,
        # and optionally have an = between keyword and
        # argument.  We use two grep invocations such that we
        # can match HostKey case insensitively but still have
        # the case of the path name be significant, keeping
        # the pattern somewhat more readable.
        #
        # The character classes below contain one literal
        # space and one literal tab.
        #
        grep -i "^[     ]*HostKey[  ]*=\{0,1\}[     ]*$keypath" \
            $SSHDIR/sshd_config | grep "$keypath" > /dev/null 2>&1

        if [ $? -eq 0 ]; then
            echo Creating new $keytype public/private host key pair
            $KEYGEN -f $keypath -t $keytype -N ''
            if [ $? -ne 0 ]; then
                echo "Could not create $keytype key: $keypath"
                exit $SMF_EXIT_ERR_CONFIG
            fi
        fi
    fi
}

remove_key()
{
        keypath=$1
        if [ -f $keypath ]; then
                grep -i "^[     ]*HostKey[      ]*=\{0,1\}[     ]*$keypath" \
                    $SSHDIR/sshd_config | grep "$keypath" > /dev/null 2>&1
                if [ $? -eq 0 ]; then
                        rm -f ${keypath} ${keypath}.pub
                fi
        fi
}

#
# Makes sure, that /etc/ssh/sshd_config does not contain single line
# 'ListenAddress ::'.
#
# This used to be part of default SunSSH sshd_config and instructed SunSSH
# to listen on all interfaces. For OpenSSH, the same line means listen on all
# IPv6 interfaces.
#
fix_listenaddress()
{
    fbackup="$SSHDIR/sshd_config.pre_listenaddress_fix"
    reason4change="#\n\
# Historically default sshd_config was shipped with 'ListenAddress ::',\n\
# which means 'listen on all interfaces' in SunSSH.\n\
# In OpenSSH this setting means 'listen on all IPv6 interfaces'.\n\
# To avoid loss of service after transitioning to OpenSSH, the following\n\
# line was commented out by the network/ssh service method script on\n\
#     $(date).\n\
# Original file was backed up to $fbackup\n\
#\n\
# "
    expl4log="Historically default sshd_config was shipped with \
'ListenAddress ::', which means 'listen on all interfaces' in SunSSH. \
In OpenSSH this setting means 'listen on all IPv6 interfaces'. \
For both SunSSH and OpenSSH the default behavior when no ListenAddress \
is specified is to listen on all interfaces (both IPv4 and IPv6)."
    msg_not_removed="Custom ListenAddress setting detected in \
$SSHDIR/sshd_config, the file will not be modified. Please, check your \
ListenAddress settings. $expl4log"
    msg_removed="Removing 'ListenAddress ::'. $expl4log Original file has \
been backed up to $fbackup"

    # only modify sshd_config, if ssh implementation is OpenSSH
    if [[ "$(ssh -V 2>&1)" == Sun_SSH_* ]]; then
        return 0;
    fi

    # comment '# IPv4 & IPv6' indicates an old default sshd_config
    grep -q '^# IPv4 & IPv6$' $SSHDIR/sshd_config || return 0;

    # backup
    cp $SSHDIR/sshd_config $fbackup

    # if 'ListenAddress ::' is the only ListenAddress line, comment it out
    listen_address=$(grep -i '^[ \t]*ListenAddress' $SSHDIR/sshd_config)
    if [[ "$listen_address" == 'ListenAddress ::' ]]; then
        echo $msg_removed
        awk_prog="/^ListenAddress ::$/ {printf(\"$reason4change\")}\
              !/^# IPv4 & IPv6$/   {print}"
    elif [[ -z "$listen_address" ]]; then
        # no ListenAddress setting => OK, silently remove comment
        awk_prog="!/^# IPv4 & IPv6$/   {print}"
    else
        # send warning message both to log and console
        echo $msg_not_removed | smf_console
        awk_prog="!/^# IPv4 & IPv6$/   {print}"
    fi;

    sshd_config=$(nawk "$awk_prog" $SSHDIR/sshd_config)
    if [[ $? -ne 0 ]]; then
        echo "Update error! Check your ListenAddress settings."
        return 1;
    else
        # write the fixed content to the file
        echo "$sshd_config" > $SSHDIR/sshd_config
        return 0;
    fi

}

# This script is being used for two purposes: as part of an SMF
# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M)
# application.
#
# Both, the SMF methods and sysidconfig/sys-unconfig use different
# arguments..

case $1 in
    # sysidconfig/sys-unconfig arguments (-c and -u)
'-c')
    create_key $SSHDIR/ssh_host_rsa_key rsa
    create_key $SSHDIR/ssh_host_ed25519_key ed25519
    ;;

'-u')
    # sysconfig unconfigure to remove the sshd host keys
    remove_key $SSHDIR/ssh_host_rsa_key
    remove_key $SSHDIR/ssh_host_ed25519_key
    ;;

    # SMF arguments (start and restart [really "refresh"])

'start')
    #
    # If host keys don't exist when the service is started, create
    # them; sysidconfig is not run in every situation (such as on
    # the install media).
    #
    create_key $SSHDIR/ssh_host_rsa_key rsa
    create_key $SSHDIR/ssh_host_ed25519_key ed25519

    #
    # Make sure, that /etc/ssh/sshd_config does not contain single line
    # 'ListenAddress ::'.
    #
    fix_listenaddress

    /usr/lib/ssh/sshd
    ;;

'restart')
    if [ -f "$PIDFILE" ]; then
        /usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
    fi
    ;;

*)
    echo "Usage: $0 { start | restart }"
    exit 1
    ;;
esac

exit $?