#!/bin/sh # # $NetBSD: sshd,v 1.32.2.1 2023/06/21 15:16:17 martin Exp $ # # PROVIDE: sshd # REQUIRE: LOGIN $_rc_subr_loaded . /etc/rc.subr name="sshd" rcvar=$name command="/usr/sbin/${name}" pidfile="/var/run/${name}.pid" required_files="/etc/ssh/sshd_config" extra_commands="check keygen keyregen reload" sshd_motd_unsafe_keys_warning() { ( umask 022 T=/etc/_motd sed -E '/^-- UNSAFE KEYS WARNING:/,$d' < /etc/motd > $T if [ $( sysctl -n kern.entropy.needed ) -ne 0 ]; then cat >> $T << _EOF -- UNSAFE KEYS WARNING: The ssh host keys on this machine have been generated with not enough entropy configured, so they may be predictable. To fix, follow the "Adding entropy" section in the entropy(7) man page. After this machine has enough entropy, re-generate the ssh host keys by running: /etc/rc.d/sshd keyregen _EOF fi cmp -s $T /etc/motd || cp $T /etc/motd rm -f $T ) } sshd_keygen() { ( keygen="/usr/bin/ssh-keygen" umask 022 new_key_created=false while read type bits filename; do f="/etc/ssh/$filename" if [ "$1" != "force" ] && [ -f "$f" ]; then continue fi rm -f "$f" case "${bits}" in -1) bitarg=;; 0) bitarg="${ssh_keygen_flags}";; *) bitarg="-b ${bits}";; esac "${keygen}" -t "${type}" ${bitarg} -f "${f}" -N '' -q && \ printf "ssh-keygen: " && "${keygen}" -f "${f}" -l new_key_created=true done << _EOF ecdsa -1 ssh_host_ecdsa_key ed25519 -1 ssh_host_ed25519_key rsa 0 ssh_host_rsa_key _EOF if "${new_key_created}"; then sysctl -q kern.entropy.needed && sshd_motd_unsafe_keys_warning fi ) } sshd_precmd() { run_rc_command keygen } sshd_check() { sshd -t } sshd_reload_precmd() { run_rc_command check } check_cmd=sshd_check keygen_cmd=sshd_keygen keyregen_cmd="sshd_keygen force" reload_precmd=sshd_reload_precmd start_precmd=sshd_precmd load_rc_config $name run_rc_command "$1"