#!/bin/sh
#
# $NetBSD: sshd,v 1.32.2.1 2023/06/21 15:16:17 martin Exp $
#

# PROVIDE: sshd
# REQUIRE: LOGIN

$_rc_subr_loaded . /etc/rc.subr

name="sshd"
rcvar=$name
command="/usr/sbin/${name}"
pidfile="/var/run/${name}.pid"
required_files="/etc/ssh/sshd_config"
extra_commands="check keygen keyregen reload"

sshd_motd_unsafe_keys_warning()
{
(
	umask 022
	T=/etc/_motd
	sed -E '/^-- UNSAFE KEYS WARNING:/,$d' < /etc/motd > $T
	if [ $( sysctl -n kern.entropy.needed ) -ne 0 ]; then
		cat >> $T << _EOF
-- UNSAFE KEYS WARNING:

	The ssh host keys on this machine have been generated with
	not enough entropy configured, so they may be predictable.

	To fix, follow the "Adding entropy" section in the entropy(7)
	man page.  After this machine has enough entropy, re-generate
	the ssh host keys by running:

		/etc/rc.d/sshd keyregen
_EOF
	fi
	cmp -s $T /etc/motd || cp $T /etc/motd
	rm -f $T
)
}

sshd_keygen()
{
(
	keygen="/usr/bin/ssh-keygen"
	umask 022
	new_key_created=false
	while read type bits filename;  do
		f="/etc/ssh/$filename"
		if [ "$1" != "force" ] && [ -f "$f" ]; then
			continue
		fi
		rm -f "$f"
		case "${bits}" in
		-1)	bitarg=;;
		0)	bitarg="${ssh_keygen_flags}";;
		*)	bitarg="-b ${bits}";;
		esac
		"${keygen}" -t "${type}" ${bitarg} -f "${f}" -N '' -q && \
		    printf "ssh-keygen: " && "${keygen}" -f "${f}" -l
		new_key_created=true
	done << _EOF
ecdsa	-1	ssh_host_ecdsa_key
ed25519	-1	ssh_host_ed25519_key
rsa	0	ssh_host_rsa_key
_EOF
	if "${new_key_created}"; then
		sysctl -q kern.entropy.needed && sshd_motd_unsafe_keys_warning
	fi
)
}

sshd_precmd()
{
	run_rc_command keygen
}

sshd_check()
{
	sshd -t
}

sshd_reload_precmd()
{
	run_rc_command check
}

check_cmd=sshd_check
keygen_cmd=sshd_keygen
keyregen_cmd="sshd_keygen force"
reload_precmd=sshd_reload_precmd
start_precmd=sshd_precmd

load_rc_config $name
run_rc_command "$1"