#!/sbin/sh # # Copyright (c) 2000, 2001 by Sun Microsystems, Inc. # All rights reserved. # # <2> 25.Jun.02 sb Remove prngd # $Id: openssh.server,v 1.5 2001/07/18 15:45:30 kaw Exp $ # # INTRODUCTION # # The OpenSSH tool provides strong authentication and privacy for # network connections. This init script provides a mechanism to start # and stop the OpenSSH system daemon at system boot and shutdown. # This script was created for the Blueprints[tm] OnLine article titled # "Building and Deploying OpenSSH for the Solaris Operating Environment". # # http://www.boran.com/security/sp/ssh-part2.html # http://www.sun.com/blueprints/0701/openSSH.pdf # # The latest version of this script is available from the Blueprints # Online tools area at: # # http://www.sun.com/blueprints/tools/ # # This script is written for the Solaris 2.6, 7, and 8 Operating # Environment releases. # # INSTALLATION # # # cp /etc/init.d/openssh.server # # chmod 744 /etc/init.d/openssh.server # # chown root:sys /etc/init.d/openssh.server # # ln /etc/init.d/openssh.server /etc/rc3.d/S25openssh.server # # ln /etc/init.d/openssh.server /etc/rcS.d/K30openssh.server # # ln /etc/init.d/openssh.server /etc/rc0.d/K30openssh.server # # ln /etc/init.d/openssh.server /etc/rc1.d/K30openssh.server # # ln /etc/init.d/openssh.server /etc/rc2.d/K40openssh.server # # Keith A. Watson # umask 022 PATH=/usr/bin configDir=%%configDir%% openSSHDir=%%openSSHDir%% usePRNGD=%%includePRNGD%% PRNGDConfig=$configDir/prngd.conf PRNGDEntropyDir=/var/spool/prngd PRNGDSeedFile=$PRNGDEntropyDir/prngd-seed PRNGDEntropyPool=$PRNGDEntropyDir/pool PRNGDCmd=$openSSHDir/sbin/prngd PRNGDCmdOptions="--cmdfile $PRNGDConfig --seedfile $PRNGDSeedFile \ $PRNGDEntropyPool" DSAKeyFile=$configDir/ssh_host_dsa_key RSA2KeyFile=$configDir/ssh_host_rsa_key RSA1KeyFile=$configDir/ssh_host_key keyGenerator=$openSSHDir/bin/ssh-keygen sshdConfig=$configDir/sshd_config sshdPIDFile=sshd.pid sshdCmd=$openSSHDir/sbin/sshd sshdCmdOptions="" # # Checks for the existence of the host DSA key (protocol version 2) # DSAKeyExists() { [ -f "$DSAKeyFile" ] && return 0 return 1 } # # Checks for the existence of the host RSA key (protocol version 2) # RSA2KeyExists() { [ -f "$RSA2KeyFile" ] && return 0 return 1 } # # Checks for the existence of the RSA host key (protocol version 1) # RSA1KeyExists() { [ -f "$RSA1KeyFile" ] && return 0 return 1 } # # Checks for the existence of the PRNGD initial seed # PRNGDSeedExists() { [ -s "$PRNGDSeedFile" ] && return 0 return 1 } # # Configures the appropriate PRNGD config file # setPRNGDConfigFile() { [ ! -f "$PRNGDConfig" ] && { OSrev=`uname -r` case "$OSrev" in "5.7"|"5.8"|"5.9") ln -s $PRNGDConfig-solaris-2.7 $PRNGDConfig ;; *) ln -s $PRNGDConfig-solaris-2.6 $PRNGDConfig ;; esac } } # # Generates DSA (protocol version 2) key # generateDSAKey() { echo "Generating OpenSSH server DSA (protocol version 2) key...\c" if $keyGenerator -q -t dsa -f $DSAKeyFile -N ''; then echo "done." else echo "failed!" fi } # # Generates RSA (protocol version 2) key # generateRSA2Key() { echo "Generating OpenSSH server RSA (protocol version 2) key...\c" if $keyGenerator -q -t rsa -f $RSA2KeyFile -N ''; then echo "done." else echo "failed!" fi } # # Generates RSA (protocol version 1) key # generateRSA1Key() { echo "Generating OpenSSH server RSA (protocol version 1) key...\c" if $keyGenerator -q -t rsa1 -f $RSA1KeyFile -N ''; then echo "done." else echo "failed!" fi } # # Checks for keys and generates them if necessary # generateKeys() { if DSAKeyExists; then echo "OpenSSH DSA key exists: $DSAKeyFile" else generateDSAKey fi if RSA2KeyExists; then echo "OpenSSH RSA2 key exists: $RSA2KeyFile" else generateRSA2Key fi if RSA1KeyExists; then echo "OpenSSH RSA1 key exists: $RSA1KeyFile" else generateRSA1Key fi } # # Checks for the seed file and generates one if necessary # generateSeed() { if [ "$usePRNGD" = "yes" ]; then if PRNGDSeedExists; then echo "PRNGD seed exists: $PRNGDSeedFile" else echo "Generating PRNGD initial seed file...\c" touch $PRNGDSeedFile chmod 600 $PRNGDSeedFile # Newly installed system may not have log files [ -s /var/adm/messages ] && \ cat /var/adm/messages >> $PRNGDSeedFile [ -s /var/log/syslog ] && \ cat /var/log/syslog >> $PRNGDSeeFile [ -s /var/cron/log ] && \ cat /var/cron/log >> $PRNGDSeedFile ls -alni /proc >> $PRNGDSeedFile ps -efly >> $PRNGDSeedFile chmod 400 $PRNGDSeedFile echo "done." fi else #echo "PRNGD is not configured to operate with OpenSSH." echo "Running Openssh without PRNGD." fi } # # Start the OpenSSH server process # startSSHD() { # check for configuration file if [ ! -f "$sshdConfig" ]; then echo "OpenSSH is not configured. Missing file $sshdConfig." exit 1 fi # check for all of the keys if DSAKeyExists && RSA2KeyExists && RSA1KeyExists; then : else generateKeys fi $sshdCmd $sshdCmdOptions } # # Start the PRNGD process # startPRNGD() { if [ "$usePRNGD" = "yes" ]; then if PRNGDSeedExists; then : else generateSeed fi setPRNGDConfigFile # check that the directory containing the entropy pool exists [ ! -d $PRNGDEntropyDir ] && mkdir -p $PRNGDEntropyDir $PRNGDCmd $PRNGDCmdOptions else echo "PRNGD is not configured to operate with OpenSSH." fi } # # Stop the OpenSSH server process # stopSSHD() { realPIDFile="" if [ -r "/etc/$sshdPIDFile" ]; then realPIDFile=/etc/$sshdPIDFile elif [ -r "/var/run/$sshdPIDFile" ]; then realPIDFile=/var/run/$sshdPIDFile else echo "OpenSSH server process ID (PID) file cannot be located." fi [ -n "$realPIDFile" ] && kill -TERM `cat $realPIDFile` } # # Stop the PRNGD process # stopPRNGD() { # PRNGD has its own built method to shutdown and save its seed $PRNGDCmd --kill $PRNGDEntropyPool > /dev/null 2>&1 } # # Parse command argument # case "$1" in 'start') # start the PRNGD process first to gather entropy startPRNGD startSSHD ;; 'stop') stopSSHD stopPRNGD ;; 'restart') stopSSHD stopPRNGD startPRNGD startSSHD ;; 'keygen') # start PRNGD because key generation requires it stopSSHD startPRNGD generateKeys stopPRNGD ;; 'seedgen') generateSeed ;; *) echo "Usage: $0 { start | stop | restart | keygen | seedgen }" ;; esac exit 0