openssh/sshd-pre.sh
Jakub Jelen 1d8ffcfe05 Preprocess the configuration files to include crypto policies.
* The services are using ExecPre to start sshd-pre script
 * The sshd-pre script substitutes token in standard configuration file and writes a new on in /run
 * The services are using a file in /run as a sshd_config
2017-08-02 15:46:57 +02:00

32 lines
1.1 KiB
Bash

#!/bin/bash
# simple helper script, which substitutes a token in configuration file with
# system wide crypto policy, if installed. If not, this script just copies the
# configuration file to the runtime file, that will be used by the SSHD daemon.
SSHD_CONFIG="/etc/ssh/sshd_config"
SSHD_CONFIG_RUNTIME="/run/openssh/sshd_config"
CRYPTO_POLICIES="/etc/crypto-policies/back-ends/openssh.config"
if [ ! -f "$CRYPTO_POLICIES" ]; then
# if not installed, copy just the template
# (to overwrite potential old policy)
cat "$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME"
else
# do the substitution.
sed -e '/#{INCLUDE_CRYPTO_POLICY}#/ {' -e "r $CRYPTO_POLICIES" -e 'd' -e '}' \
"$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME"
fi
# XXX should be taken care of in SELinux somehow
# set reasonable label if it gets the default (do not overwrite fixed)
ls -Z $SSHD_CONFIG_RUNTIME | grep -q var_run_t && chcon -t etc_t $SSHD_CONFIG_RUNTIME
# makes sure we have sane permissions as the original file has.
chmod 600 $SSHD_CONFIG_RUNTIME
# reload the service if requested
if [ "$1" = "reload" ]; then
/bin/kill -HUP $2
fi