1d8ffcfe05
* The services are using ExecPre to start sshd-pre script * The sshd-pre script substitutes token in standard configuration file and writes a new on in /run * The services are using a file in /run as a sshd_config
32 lines
1.1 KiB
Bash
32 lines
1.1 KiB
Bash
#!/bin/bash
|
|
|
|
# simple helper script, which substitutes a token in configuration file with
|
|
# system wide crypto policy, if installed. If not, this script just copies the
|
|
# configuration file to the runtime file, that will be used by the SSHD daemon.
|
|
|
|
SSHD_CONFIG="/etc/ssh/sshd_config"
|
|
SSHD_CONFIG_RUNTIME="/run/openssh/sshd_config"
|
|
CRYPTO_POLICIES="/etc/crypto-policies/back-ends/openssh.config"
|
|
|
|
if [ ! -f "$CRYPTO_POLICIES" ]; then
|
|
# if not installed, copy just the template
|
|
# (to overwrite potential old policy)
|
|
cat "$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME"
|
|
else
|
|
# do the substitution.
|
|
sed -e '/#{INCLUDE_CRYPTO_POLICY}#/ {' -e "r $CRYPTO_POLICIES" -e 'd' -e '}' \
|
|
"$SSHD_CONFIG" > "$SSHD_CONFIG_RUNTIME"
|
|
fi
|
|
|
|
# XXX should be taken care of in SELinux somehow
|
|
# set reasonable label if it gets the default (do not overwrite fixed)
|
|
ls -Z $SSHD_CONFIG_RUNTIME | grep -q var_run_t && chcon -t etc_t $SSHD_CONFIG_RUNTIME
|
|
|
|
# makes sure we have sane permissions as the original file has.
|
|
chmod 600 $SSHD_CONFIG_RUNTIME
|
|
|
|
# reload the service if requested
|
|
if [ "$1" = "reload" ]; then
|
|
/bin/kill -HUP $2
|
|
fi
|