#!/bin/sh #---------------------------------------------------------------------------- # /var/install/bin/system-ssh-create-server-keys - create ssh server keys # # Creation: 2002-07-18 jh # Last Update: $Id$ # # Usage: system-ssh-create-server-keys [options] # # --batch - run script in batch mode # --help - show this help # --key ed25519|rsa|ecdsa|dsa|rsa1 - generate a 'specific' key # --quiet - suppress screen output # --rsabits 2048|3072|4096|6142|8192 - bits to generate RSA key # # Copyright (c) 2002-@@YEAR@@ the eisfair team, team(at)eisfair(dot)org # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. #---------------------------------------------------------------------------- # include eislib . /var/install/include/eislib #exec 2>/tmp/system-ssh-create-server-keys-$$.log #set -x #---------------------------------------------------------------------------- # my own echo #---------------------------------------------------------------------------- myecho() { if [ "${quiet}" != '--quiet' ] then _me_exit=0 _me_switch='' _me_outstr='' while [ ${_me_exit} -eq 0 ] do case $1 in -n|*-std|*stdbr|*-info|*-warn|*-error|*-link|*-ok|*-fail|*-tty|*-html|*-file ) _me_switch="${_me_switch}$1 " shift ;; * ) _me_outstr="$*" _me_exit=1 ;; esac done # be verbose mecho ${_me_switch} "${_me_outstr}" fi } #---------------------------------------------------------------------------- # show help #---------------------------------------------------------------------------- show_help() { myecho myecho "Usage: system-ssh-create-server-keys [options]" myecho myecho " --batch - run script in batch mode" myecho " --help - show this help" myecho " --key ed25519|rsa|ecdsa|dsa|rsa1 - generate a 'specific' key" myecho " --quiet - suppress screen output" myecho " --rsabits 2048|3072|4096|6142|8192 - bits to generate RSA key" myecho } #============================================================================ # main #============================================================================ cmd_line="$*" # command line parameters dest_path='/etc/ssh' sshd_file="${dest_path}/sshd_config" batch='no' key_list='ed25519 rsa' # list of keys to generate passphrase='-N ""' # '-N ""' - no passphrase quiet='' # '--quiet' - do not print any message quiet_short='' rsabits='4096' # default RSA bits to generate keys # read command line parameters while [ $# -ne 0 ] do case $1 in *-batch ) batch='yes' shift ;; *-key ) case "$2" in ed25519|rsa|ecdsa|dsa|rsa1 ) key_list="$2" ;; * ) myecho --warn "Invalid key type given, using default value!" ;; esac shift; shift ;; *-quiet ) quiet='--quiet' quiet_short='-q' shift ;; *-rsabits ) case "$2" in 2048|3072|4096|6142|8192 ) rsabits="$2" ;; * ) myecho --warn "Invalid bits value given, using default value!" ;; esac shift; shift ;; * ) show_help exit 1 ;; esac done _ask_tmpfile=$(/bin/mktemp -t ask-ssh.XXXXXXXXX) clrhome myecho -n --info "Generate server SSH2 keys" myecho myecho "Please keep in mind that you might run into a problem with" myecho "you SSH client program if one or more host keys are changes!" myecho myecho --warn "Therefore keep this session open until you've double-checked" myecho --warn "that you're still able to connect to the host by opening a" myecho --warn "second SSH session in parallel." myecho # 2015-01-08/JED - reworked based on information about SSH hardening on the following # website https://stribika.github.io/2015/01/04/secure-secure-shell.html key_updated=0 for KEY in ${key_list} do key_create='no' if [ "${KEY}" = 'rsa1' ] then key_file="${dest_path}/ssh_host_key" else key_file="${dest_path}/ssh_host_${KEY}_key" fi # -a number - number of KDF rounds for new key format or moduli primality tests # -b bits - number of bits in the key to create key_bits='' case ${KEY} in dsa ) # DSA keys must be exactly 1024 bits as specified by FIPS 186-2 run_option="${passphrase} -a 100 -b 1024" key_bits='(1024 bits)' ;; rsa ) run_option="${passphrase} -a 100 -b ${rsabits}" key_bits="(${rsabits} bits)" ;; * ) run_option="${passphrase} -a 100" ;; esac myecho "Creating key '${key_file}' ${key_bits} ..." if [ -e ${key_file} -a "${batch}" = "no" ] then # key file exists! key_create='no' /var/install/bin/ask "File already exists, do you want to overwrite it" 'n' > ${_ask_tmpfile} rc=${?} read key_create < ${_ask_tmpfile} rm -f ${_ask_tmpfile} # if ask break, ask returned 255 if [ ${rc} = 255 ] then key_create='no' fi else key_create='yes' fi if [ "${key_create}" = "yes" -a -f ${key_file} ] then # move away previous key files if [ -f ${key_file} ] then mv ${key_file} ${key_file}.backup fi if [ -f ${key_file}.pub ] then mv ${key_file}.pub ${key_file}.pub.backup fi fi if [ "${key_create}" = "yes" ] then # command need to be called by eval to make sure # that empty passwords are handled correctly eval /usr/bin/ssh-keygen ${quiet_short} -t ${KEY} ${run_option} -f ${key_file} if [ $? -eq 0 ] then key_updated=1 # remove previous key files rm -f ${key_file}.backup rm -f ${key_file}.pub.backup fi fi myecho done if [ ${key_updated} -eq 1 -a "${batch}" = "yes" ] then myecho --warn "Remember to restart the OpenSSH server to activate the new key(s)!" anykey fi rm -f ${_ask_tmpfile} #---------------------------------------------------------------------------- # End #---------------------------------------------------------------------------- exit 0