mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-16 10:20:30 +00:00
8801556beb
systems are fully "ready to go". 'FILESYSTEMS' states: "This is a dummy dependency, for services which require file systems to be mounted before starting." However, we have 'var' which is was run after 'FILESYSTEMS' and can mount /var if it already isn't mounted. Furthermore, several scripts cannot use /var until 'cleanvar' has done its thing. Thus "FILESYSTEMS" hasn't really meant all critical file systems are fully usable.
111 lines
2.7 KiB
Bash
Executable File
111 lines
2.7 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# $FreeBSD$
|
|
#
|
|
|
|
# PROVIDE: sshd
|
|
# REQUIRE: LOGIN FILESYSTEMS
|
|
# KEYWORD: shutdown
|
|
|
|
. /etc/rc.subr
|
|
|
|
name="sshd"
|
|
rcvar="sshd_enable"
|
|
command="/usr/sbin/${name}"
|
|
keygen_cmd="sshd_keygen"
|
|
start_precmd="sshd_precmd"
|
|
configtest_cmd="sshd_configtest"
|
|
pidfile="/var/run/${name}.pid"
|
|
extra_commands="configtest keygen reload"
|
|
|
|
timeout=300
|
|
|
|
user_reseed()
|
|
{
|
|
(
|
|
seeded=`sysctl -n kern.random.sys.seeded 2>/dev/null`
|
|
if [ "x${seeded}" != "x" ] && [ ${seeded} -eq 0 ] ; then
|
|
warn "Setting entropy source to blocking mode."
|
|
echo "===================================================="
|
|
echo "Type a full screenful of random junk to unblock"
|
|
echo "it and remember to finish with <enter>. This will"
|
|
echo "timeout in ${timeout} seconds, but waiting for"
|
|
echo "the timeout without typing junk may make the"
|
|
echo "entropy source deliver predictable output."
|
|
echo ""
|
|
echo "Just hit <enter> for fast+insecure startup."
|
|
echo "===================================================="
|
|
sysctl kern.random.sys.seeded=0 2>/dev/null
|
|
read -t ${timeout} junk
|
|
echo "${junk}" `sysctl -a` `date` > /dev/random
|
|
fi
|
|
)
|
|
}
|
|
|
|
sshd_keygen()
|
|
{
|
|
(
|
|
umask 022
|
|
|
|
# Can't do anything if ssh is not installed
|
|
[ -x /usr/bin/ssh-keygen ] || {
|
|
warn "/usr/bin/ssh-keygen does not exist."
|
|
return 1
|
|
}
|
|
|
|
if [ -f /etc/ssh/ssh_host_key ]; then
|
|
echo "You already have an RSA host key" \
|
|
"in /etc/ssh/ssh_host_key"
|
|
echo "Skipping protocol version 1 RSA Key Generation"
|
|
else
|
|
/usr/bin/ssh-keygen -t rsa1 -b 1024 \
|
|
-f /etc/ssh/ssh_host_key -N ''
|
|
fi
|
|
|
|
if [ -f /etc/ssh/ssh_host_dsa_key ]; then
|
|
echo "You already have a DSA host key" \
|
|
"in /etc/ssh/ssh_host_dsa_key"
|
|
echo "Skipping protocol version 2 DSA Key Generation"
|
|
else
|
|
/usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
|
|
fi
|
|
|
|
if [ -f /etc/ssh/ssh_host_rsa_key ]; then
|
|
echo "You already have an RSA host key" \
|
|
"in /etc/ssh/ssh_host_rsa_key"
|
|
echo "Skipping protocol version 2 RSA Key Generation"
|
|
else
|
|
/usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
|
|
fi
|
|
|
|
if [ -f /etc/ssh/ssh_host_ecdsa_key ]; then
|
|
echo "You already have an ECDSA host key" \
|
|
"in /etc/ssh/ssh_host_ecdsa_key"
|
|
echo "Skipping protocol version 2 ECDSA Key Generation"
|
|
else
|
|
/usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
|
|
fi
|
|
)
|
|
}
|
|
|
|
sshd_configtest()
|
|
{
|
|
echo "Performing sanity check on ${name} configuration."
|
|
eval ${command} ${sshd_flags} -t
|
|
}
|
|
|
|
sshd_precmd()
|
|
{
|
|
if [ ! -f /etc/ssh/ssh_host_key -o \
|
|
! -f /etc/ssh/ssh_host_dsa_key -o \
|
|
! -f /etc/ssh/ssh_host_ecdsa_key -o \
|
|
! -f /etc/ssh/ssh_host_rsa_key ]; then
|
|
user_reseed
|
|
run_rc_command keygen
|
|
fi
|
|
sshd_configtest
|
|
}
|
|
|
|
load_rc_config $name
|
|
run_rc_command "$1"
|