Last active
January 18, 2017 09:29
-
-
Save tetsuyainfra/92df92b80e48bf7b2936264096a5d697 to your computer and use it in GitHub Desktop.
ssh_hosts_keyをチェックするsystemdサービス(修正4回目:外部シェルスクリプトにお願いする)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ######################### | |
| # debian jessie on vagrant/VM | |
| # sudoedit /etc/systemd/system/create-ssh-host-keys.service | |
| # CHECK: | |
| # systemctl list-unit-files --type=service | grep create | |
| # ENABLE: | |
| # systemctl enable create-ssh-host-keys | |
| # systemctl start create-ssh-host-keys | |
| [Unit] | |
| Description=Create SSH host keys | |
| DefaultDependencies=no | |
| Before=ssh.service | |
| ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key | |
| [Service] | |
| Type=oneshot | |
| ExecStart=/usr/sbin/create-ssh-host-keys.sh --DOIT | |
| ExecStartPost=/bin/sleep 15s ; service sshd reload | |
| [Install] | |
| WantedBy=multi-user.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| ######################### | |
| # This script might REMOVE SSH HOST KEYS | |
| # Original codes are from Debian openssh-server package | |
| # ( openssh_6.7p1-5+deb8u3.debian.tar.xz ) | |
| # License: BSD | |
| # | |
| set -e | |
| umask 022 | |
| get_config_option() { | |
| option="$1" | |
| [ -f /etc/ssh/sshd_config ] || return | |
| # TODO: actually only one '=' allowed after option | |
| perl -lne ' | |
| s/[[:space:]]+/ /g; s/[[:space:]]+$//; | |
| print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ | |
| /etc/ssh/sshd_config | |
| } | |
| host_keys_required() { | |
| hostkeys="$(get_config_option HostKey)" | |
| if [ "$hostkeys" ]; then | |
| echo "$hostkeys" | |
| else | |
| # No HostKey directives at all, so the server picks some | |
| # defaults depending on the setting of Protocol. | |
| protocol="$(get_config_option Protocol)" | |
| [ "$protocol" ] || protocol=1,2 | |
| if echo "$protocol" | grep 1 >/dev/null; then | |
| echo /etc/ssh/ssh_host_key | |
| fi | |
| if echo "$protocol" | grep 2 >/dev/null; then | |
| echo /etc/ssh/ssh_host_rsa_key | |
| echo /etc/ssh/ssh_host_dsa_key | |
| echo /etc/ssh/ssh_host_ecdsa_key | |
| echo /etc/ssh/ssh_host_ed25519_key | |
| fi | |
| fi | |
| } | |
| create_key() { | |
| msg="$1" | |
| shift | |
| hostkeys="$1" | |
| shift | |
| file="$1" | |
| shift | |
| if echo "$hostkeys" | grep -x "$file" >/dev/null && \ | |
| [ ! -f "$file" ] ; then | |
| echo -n $msg | |
| ssh-keygen -q -f "$file" -N '' "$@" | |
| echo | |
| if which restorecon >/dev/null 2>&1; then | |
| restorecon "$file" "$file.pub" | |
| fi | |
| ssh-keygen -l -f "$file.pub" | |
| fi | |
| } | |
| create_keys() { | |
| hostkeys="$(host_keys_required)" | |
| create_key "Creating SSH1 key; this may take some time ..." \ | |
| "$hostkeys" /etc/ssh/ssh_host_key -t rsa1 | |
| create_key "Creating SSH2 RSA key; this may take some time ..." \ | |
| "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa | |
| create_key "Creating SSH2 DSA key; this may take some time ..." \ | |
| "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa | |
| create_key "Creating SSH2 ECDSA key; this may take some time ..." \ | |
| "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa | |
| create_key "Creating SSH2 ED25519 key; this may take some time ..." \ | |
| "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 | |
| } | |
| if [ "--DOIT" = "$1" ]; then | |
| echo "run: ${0}" | |
| create_keys | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment