#!/bin/bash

# Create the host keys for the OpenSSH server.
#
# The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment
# variable.

# OpenSSH 7.0 depreceated DSA keys. We don't create DSA be default, but you can add 'DSA' to the list bellow.
AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
FAIL='0'

# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
ED25519_KEY=/etc/ssh/ssh_host_ed25519_key

# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd

do_rsa_keygen() {
	if [ ! -s $RSA_KEY ]; then
		echo -n $"Generating SSH2 RSA host key: "
		rm -f $RSA_KEY
		if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
			chmod 600 $RSA_KEY
			chmod 644 $RSA_KEY.pub
			if [ -x /sbin/restorecon ]; then
			    /sbin/restorecon $RSA_KEY{,.pub}
			fi
			echo "RSA key $RSA_KEY generated."
			return 0
		else
			echo "Failed to generate RSA key $RSA_KEY!"
			FAIL='1'
			return 1
		fi
	fi
}

do_dsa_keygen() {
	if [ ! -s $DSA_KEY ]; then
		echo -n $"Generating SSH2 DSA host key: "
		rm -f $DSA_KEY
		if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
			chmod 600 $DSA_KEY
			chmod 644 $DSA_KEY.pub
			if [ -x /sbin/restorecon ]; then
			    /sbin/restorecon $DSA_KEY{,.pub}
			fi
			echo "DSA key $DSA_KEY generated."
			return 0
		else
			echo "Failed to generate DSA key $DSA_KEY!"
			FAIL='1'
			return 1
		fi
	fi
}

do_ecdsa_keygen() {
	if [ ! -s $ECDSA_KEY ]; then
		echo -n $"Generating SSH2 ECDSA host key: "
		rm -f $ECDSA_KEY
		if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
			chmod 600 $ECDSA_KEY
			chmod 644 $ECDSA_KEY.pub
			if [ -x /sbin/restorecon ]; then
			    /sbin/restorecon $ECDSA_KEY{,.pub}
			fi
			echo "ECDSA key $ECDSA_KEY generated."
			return 0
		else
			echo "Failed to generate ECDSA key $ECDSA_KEY!"
			FAIL='1'
			return 1
		fi
	fi
}

do_ed25519_keygen() {
	if [ ! -s $ED25519_KEY ]; then
		echo -n $"Generating SSH2 ED25519 host key: "
		rm -f "$ED25519_KEY"
		if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
			chmod 600 $ED25519_KEY
			chmod 644 $ED25519_KEY.pub
			if [ -x /sbin/restorecon ]; then
			    /sbin/restorecon $ED25519_KEY{,.pub}
			fi
			echo "ED25519 key $ED25519_KEY generated."
			return 0
		else
			echo "Failed to generate ED25519 key $ED25519_KEY!"
			FAIL='1'
			return 1
		fi
	fi
}

if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then
	exit 0
fi

# legacy options
case $AUTOCREATE_SERVER_KEYS in
	NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;
	RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";;
	YES) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;
esac

for KEY in $AUTOCREATE_SERVER_KEYS; do
	case "$KEY" in
		DSA) do_dsa_keygen;;
		RSA) do_rsa_keygen;;
		ECDSA) do_ecdsa_keygen;;
		ED25519) do_ed25519_keygen;;
	esac
done

# not zero return code if any error has ever occured to make systemd service sshd-keygen.service failed in case of any errors
if [ "$FAIL" = '1' ]
	then exit 1
	else exit 0
fi
