#!/bin/bash
#
# ssh-keygen		Generate ssh keys for rsa/dsa
#
# chkconfig: 2345 55 25
# description: SSH is a protocol for secure remote shell access. \
#              This script is used by ssh's SuperServer Plugin to 
#	       generate the public/private keys to be used later by sshd.
#

### BEGIN INIT INFO
# Provides: ssh-keygen
# Short-Description: Generate ssh keys for rsa/dsa
# Description:       This script is used by ssh's SuperServer Plugin to 
#		     generate the public/private keys to be used later by sshd.
### END INIT INFO

export SYSTEMCTL_SKIP_REDIRECT=1

# source function library
. /etc/rc.d/init.d/functions

# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd

# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
RSA_KEY=/persist/secure/ssh_host_rsa_key
RSA_OLD_KEY=/persist/sys/ssh_host_rsa_key
DSA_KEY=/persist/secure/ssh_host_dsa_key
DSA_OLD_KEY=/persist/sys/ssh_host_dsa_key
ECDSA_KEY=/persist/secure/ssh_host_ecdsa_key
ECDSA_256_KEY=/persist/secure/ssh_host_ecdsa_nistp256_key
ED25519_KEY=/persist/secure/ssh_host_ed25519_key
SSHD_INIT_LOG="/var/run/sshd.init.status"

runlevel=$(set -- $(runlevel); eval "echo \$$#" )

do_rsa_keygen() {
        if [ -s $RSA_OLD_KEY ] && [ ! -s $RSA_KEY ]; then
                echo "Copying RSA host key from /persist/sys to /persist/secure"
                cp $RSA_OLD_KEY $RSA_KEY
                cp $RSA_OLD_KEY.pub $RSA_KEY.pub
        fi
	if [ ! -s $RSA_KEY ]; then
		echo -n $"Generating SSH2 RSA host key: " >> $SSHD_INIT_LOG
		rm -f $RSA_KEY
		if test ! -f $RSA_KEY && $KEYGEN -q -b 2048 -t rsa -m PEM -f $RSA_KEY -C '' -N '' >&/dev/null; then
			chmod 600 $RSA_KEY
			chmod 644 $RSA_KEY.pub
			if [ -x /sbin/restorecon ]; then
			    /sbin/restorecon $RSA_KEY.pub
			fi
			echo "SUCCESS" >> $SSHD_INIT_LOG
		else
                        echo "FAILURE" >> $SSHD_INIT_LOG
			exit 1
		fi
	fi
}

do_dsa_keygen() {
        if [ -s $DSA_OLD_KEY ] && [ ! -s $DSA_KEY ]; then
                echo "Copying DSA host key from /persist/sys to /persist/secure"
                cp $DSA_OLD_KEY $DSA_KEY
                cp $DSA_OLD_KEY.pub $DSA_KEY.pub
        fi
	if [ ! -s $DSA_KEY ]; then
		echo -n $"Generating SSH2 DSA host key: " >> $SSHD_INIT_LOG
		rm -f $DSA_KEY
		if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
			chmod 600 $DSA_KEY
			chmod 644 $DSA_KEY.pub
			if [ -x /sbin/restorecon ]; then
			    /sbin/restorecon $DSA_KEY.pub
			fi
			echo "SUCCESS" >> $SSHD_INIT_LOG
		else
                        echo "FAILURE" >> $SSHD_INIT_LOG
			exit 1
		fi
	fi
}

do_ed25519_keygen() {
	if [ ! -s $ED25519_KEY ]; then
		echo -n $"Generating SSH2 ED25519 host key: " >> $SSHD_INIT_LOG
		rm -f $ED25519_KEY
		if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
			chmod 600 $ED25519_KEY
			chmod 644 $ED25519_KEY.pub
			if [ -x /sbin/restorecon ]; then
			    /sbin/restorecon $ED25519_KEY{,.pub}
			fi
			success $"SUCCESS ED25519 key generation" >> $SSHD_INIT_LOG
			echo
		else
			failure $"FAILURE ED25519 key generation" >> $SSHD_INIT_LOG
			echo
			exit 1
		fi
	fi
}

do_ecdsa_keygen() {
	if [ ! -s $ECDSA_KEY ]; then
		echo -n $"Generating SSH2 ECDSA host key: " >> $SSHD_INIT_LOG
		rm -f $ECDSA_KEY
		if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -b 521 -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
			chmod 600 $ECDSA_KEY
			chmod 644 $ECDSA_KEY.pub
			if [ -x /sbin/restorecon ]; then
			    /sbin/restorecon $ECDSA_KEY{,.pub}
			fi
			success $"SUCCESS ECDSA key generation" >> $SSHD_INIT_LOG
			echo
		else
			failure $"FAILURE ECDSA key generation" >> $SSHD_INIT_LOG
			echo
			exit 1
		fi
	fi
}

do_ecdsa_256_keygen() {
	if [ ! -s $ECDSA_256_KEY ]; then
		echo -n $"Generating SSH2 ECDSA-256 host key: " >> $SSHD_INIT_LOG
		rm -f $ECDSA_256_KEY
		if test ! -f $ECDSA_256_KEY && $KEYGEN -q -t ecdsa -b 256 -f $ECDSA_256_KEY -C '' -N '' >&/dev/null; then
			chmod 600 $ECDSA_256_KEY
			chmod 644 $ECDSA_256_KEY.pub
			if [ -x /sbin/restorecon ]; then
			    /sbin/restorecon $ECDSA_256_KEY{,.pub}
			fi
			success $"SUCCESS ECDSA-256 key generation" >> $SSHD_INIT_LOG
			echo
		else
			failure $"FAILURE ECDSA-256 key generation" >> $SSHD_INIT_LOG
			echo
			exit 1
		fi
	fi
}
# Create keys if necessary
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
    do_rsa_keygen
    if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
	    do_dsa_keygen
        do_ecdsa_keygen
        do_ecdsa_256_keygen
        do_ed25519_keygen
    fi
fi
