d842425106
longer supported by default since 7.0. [1] I do plan to make this configurable based on PR 202169 [2] soon. PR: 202792 [1] PR: 202169 [2] Submitted by: chrysalis@chrysalisnet.org [1]
165 lines
4.4 KiB
Bash
165 lines
4.4 KiB
Bash
#!/bin/sh
|
|
|
|
# $FreeBSD$
|
|
#
|
|
# PROVIDE: openssh
|
|
# REQUIRE: DAEMON
|
|
# KEYWORD: shutdown
|
|
#
|
|
# Add the following lines to /etc/rc.conf to enable openssh:
|
|
#
|
|
# openssh_enable (bool): Set it to "YES" to enable openssh.
|
|
# Default is "NO".
|
|
# openssh_flags (flags): Set extra flags to openssh.
|
|
# Default is "". see sshd(1).
|
|
# openssh_pidfile (file): Set full path to pid file.
|
|
|
|
. /etc/rc.subr
|
|
|
|
name="openssh"
|
|
rcvar=openssh_enable
|
|
|
|
load_rc_config ${name}
|
|
|
|
: ${openssh_enable:="NO"}
|
|
: ${openssh_skipportscheck="NO"}
|
|
|
|
command=%%PREFIX%%/sbin/sshd
|
|
extra_commands="configtest reload keygen"
|
|
start_precmd="${name}_checks"
|
|
reload_precmd="${name}_checks"
|
|
restart_precmd="${name}_checks"
|
|
configtest_cmd="${name}_configtest"
|
|
keygen_cmd="${name}_keygen"
|
|
pidfile=${openssh_pidfile:="/var/run/sshd.pid"}
|
|
|
|
openssh_keygen()
|
|
{
|
|
if [ -f %%ETCDIR%%/ssh_host_dsa_key -a \
|
|
-f %%ETCDIR%%/ssh_host_rsa_key -a \
|
|
-f %%ETCDIR%%/ssh_host_ecdsa_key -a \
|
|
-f %%ETCDIR%%/ssh_host_ed25519_key ]; then
|
|
return 0
|
|
fi
|
|
|
|
umask 022
|
|
|
|
# Can't do anything if ssh is not installed
|
|
[ -x %%PREFIX%%/bin/ssh-keygen ] ||
|
|
err 1 "%%PREFIX%%/bin/ssh-keygen does not exist."
|
|
|
|
if [ -f %%ETCDIR%%/ssh_host_dsa_key ]; then
|
|
echo "You already have a DSA host key" \
|
|
"in %%ETCDIR%%/ssh_host_dsa_key"
|
|
echo "Skipping protocol version 2 DSA Key Generation"
|
|
else
|
|
%%PREFIX%%/bin/ssh-keygen -t dsa \
|
|
-f %%ETCDIR%%/ssh_host_dsa_key -N ''
|
|
fi
|
|
|
|
if [ -f %%ETCDIR%%/ssh_host_rsa_key ]; then
|
|
echo "You already have a RSA host key" \
|
|
"in %%ETCDIR%%/ssh_host_rsa_key"
|
|
echo "Skipping protocol version 2 RSA Key Generation"
|
|
else
|
|
%%PREFIX%%/bin/ssh-keygen -t rsa \
|
|
-f %%ETCDIR%%/ssh_host_rsa_key -N ''
|
|
fi
|
|
|
|
if [ -f %%ETCDIR%%/ssh_host_ecdsa_key ]; then
|
|
echo "You already have a Elliptic Curve DSA host key" \
|
|
"in %%ETCDIR%%/ssh_host_ecdsa_key"
|
|
echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation"
|
|
else
|
|
%%PREFIX%%/bin/ssh-keygen -t ecdsa \
|
|
-f %%ETCDIR%%/ssh_host_ecdsa_key -N ''
|
|
fi
|
|
|
|
if [ -f %%ETCDIR%%/ssh_host_ed25519_key ]; then
|
|
echo "You already have a Elliptic Curve ED25519 host key" \
|
|
"in %%ETCDIR%%/ssh_host_ed25519_key"
|
|
echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation"
|
|
else
|
|
%%PREFIX%%/bin/ssh-keygen -t ed25519 \
|
|
-f %%ETCDIR%%/ssh_host_ed25519_key -N ''
|
|
fi
|
|
}
|
|
|
|
openssh_check_same_ports(){
|
|
# check if opensshd don't use base system sshd's port
|
|
#
|
|
# openssh binds ports in priority (lowest first):
|
|
# Port from sshd_config
|
|
# -p option from command line
|
|
# ListenAddress addr:port from sshd_config
|
|
|
|
|
|
#check if opensshd-portable installed in replacement of base sshd
|
|
if [ "%%ETCDIR%%" = "/etc/ssh" ]; then
|
|
return 1
|
|
fi
|
|
|
|
self_port=$(awk '$1~/^ListenAddress/ \
|
|
{mlen=match($0,":[0-9]*$"); print \
|
|
substr($0,mlen+1,length($0)-mlen)}' %%ETCDIR%%/sshd_config)
|
|
if [ -z "$self_port" ]; then
|
|
self_port=$(echo $openssh_flags | awk \
|
|
'{for (i = 1; i <= NF; i++) if ($i == "-p") \
|
|
{i++; printf "%s", $i; break; }; }')
|
|
if [ -z "$self_port" ]; then
|
|
self_port=$(awk '$1~/^Port/ {print $2}' \
|
|
%%ETCDIR%%/sshd_config)
|
|
fi
|
|
fi
|
|
# assume default 22 port
|
|
if [ -z "$self_port" ]; then
|
|
self_port=22
|
|
fi
|
|
|
|
load_rc_config "sshd"
|
|
|
|
base_sshd_port=$(awk '$1~/^ListenAddress/ \
|
|
{mlen=match($0,":[0-9]*$"); print \
|
|
substr($0,mlen+1,length($0)-mlen)}' /etc/ssh/sshd_config)
|
|
if [ -z "$base_sshd_port" ]; then
|
|
base_sshd_port=$(echo $sshd_flags | awk \
|
|
'{for (i = 1; i <= NF; i++) if ($i == "-p") \
|
|
{i++; printf "%s", $i; break; }; }')
|
|
if [ -z "$base_sshd_port" ]; then
|
|
base_sshd_port=$(awk '$1~/^Port/ {print $2}' \
|
|
/etc/ssh/sshd_config)
|
|
fi
|
|
fi
|
|
if [ -z "$base_sshd_port" ]; then
|
|
base_sshd_port=22
|
|
fi
|
|
|
|
# self_port and base_sshd_port may have multiple values. Compare them all
|
|
for sport in ${self_port}; do
|
|
for bport in ${base_sshd_port}; do
|
|
[ ${sport} -eq ${bport} ] && return 0
|
|
done
|
|
done
|
|
|
|
return 1
|
|
}
|
|
|
|
openssh_configtest()
|
|
{
|
|
echo "Performing sanity check on ${name} configuration."
|
|
eval ${command} ${openssh_flags} -t
|
|
}
|
|
|
|
openssh_checks()
|
|
{
|
|
if checkyesno sshd_enable ; then
|
|
if openssh_check_same_ports && ! checkyesno openssh_skipportscheck; then
|
|
err 1 "sshd_enable is set, but $name and /usr/sbin/sshd use the same port"
|
|
fi
|
|
fi
|
|
|
|
run_rc_command keygen
|
|
openssh_configtest
|
|
}
|
|
|
|
run_rc_command "$1"
|