3 # Create the host keys for the OpenSSH server.
5 # The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment
7 AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
9 # source function library
10 . /etc/init.d/functions
12 # Some functions to make the below more readable
13 KEYGEN=/usr/bin/ssh-keygen
14 RSA1_KEY=/etc/ssh/ssh_host_key
15 RSA_KEY=/etc/ssh/ssh_host_rsa_key
16 DSA_KEY=/etc/ssh/ssh_host_dsa_key
17 ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
18 ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
20 # pull in sysconfig settings
21 [ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
24 if [ -r /proc/sys/crypto/fips_enabled ]; then
25 cat /proc/sys/crypto/fips_enabled
32 if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then
33 echo -n $"Generating SSH1 RSA host key: "
35 if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
36 chgrp ssh_keys $RSA1_KEY
38 chmod 644 $RSA1_KEY.pub
39 if [ -x /sbin/restorecon ]; then
40 /sbin/restorecon $RSA1_KEY{,.pub}
42 success $"RSA1 key generation"
45 failure $"RSA1 key generation"
53 if [ ! -s $RSA_KEY ]; then
54 echo -n $"Generating SSH2 RSA host key: "
56 if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
57 chgrp ssh_keys $RSA_KEY
59 chmod 644 $RSA_KEY.pub
60 if [ -x /sbin/restorecon ]; then
61 /sbin/restorecon $RSA_KEY{,.pub}
63 success $"RSA key generation"
66 failure $"RSA key generation"
74 if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then
75 echo -n $"Generating SSH2 DSA host key: "
77 if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
78 chgrp ssh_keys $DSA_KEY
80 chmod 644 $DSA_KEY.pub
81 if [ -x /sbin/restorecon ]; then
82 /sbin/restorecon $DSA_KEY{,.pub}
84 success $"DSA key generation"
87 failure $"DSA key generation"
95 if [ ! -s $ECDSA_KEY ]; then
96 echo -n $"Generating SSH2 ECDSA host key: "
98 if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
99 chgrp ssh_keys $ECDSA_KEY
101 chmod 644 $ECDSA_KEY.pub
102 if [ -x /sbin/restorecon ]; then
103 /sbin/restorecon $ECDSA_KEY{,.pub}
105 success $"ECDSA key generation"
108 failure $"ECDSA key generation"
115 do_ed25519_keygen() {
116 if [ ! -s $ED25519_KEY -a `fips_enabled` -eq 0 ]; then
117 echo -n $"Generating SSH2 ED25519 host key: "
119 if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
120 chgrp ssh_keys $ED25519_KEY
121 chmod 600 $ED25519_KEY
122 chmod 644 $ED25519_KEY.pub
123 if [ -x /sbin/restorecon ]; then
124 /sbin/restorecon $ED25519_KEY{,.pub}
126 success $"ED25519 key generation"
129 failure $"ED25519 key generation"
136 if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then
141 case $AUTOCREATE_SERVER_KEYS in
142 NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;
143 RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";;
144 YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";;
147 for KEY in $AUTOCREATE_SERVER_KEYS; do
151 ECDSA) do_ecdsa_keygen;;
152 ED25519) do_ed25519_keygen;;