#!/bin/sh -e
#
# Univention SSH
#  Create new OpenSSH hosts keys
#
# Like what you see? Join us!
# https://www.univention.com/about-us/careers/vacancies/
#
# Copyright 2004-2023 Univention GmbH
#
# https://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <https://www.gnu.org/licenses/>.

die () {
	echo "For $typ: $*." >&2
	echo "Continuing..."
	continue
}

dir="/var/univention-backup/ssh-$(date '+%F_%T')"
echo "Storing backup copy in ${dir}..."
mkdir -p "$dir"
find /etc/ssh -maxdepth 1 -name 'ssh_host*_key*' -execdir mv -t "$dir" -n -v {} +

echo "Recreating SSH host keys..."
ucr search --brief --non-empty '^sshd/HostKey/[^/]+$' |
while IFS=': ' read key bits
do
	typ="${key#sshd/HostKey/}"
	case "$bits" in
	""|0) echo " skipping $typ" ; continue ;;
	esac

	filename="/etc/ssh/ssh_host_${typ}_key"
	case "$typ" in
	rsa1) filename='/etc/ssh/ssh_host_key'; [ "$bits" -ge 768 ] || die "minimum 768" ;;
	dsa) [ "$bits" -eq 1024 ] || die "only 1024" ;;
	ed25519) [ -z "$bits" ] || die "ignored" ;;
	rsa) [ "$bits" -ge 768 ] || die "minimum 768" ;;
	ecdsa) [ "$bits" -eq 256 ] || [ "$bits" -eq 384 ] || [ "$bits" -eq 521 ] || die "only 256, 384 or 521" ;;
	*) echo "Unknown type: '$typ'" >&2 ; continue ;;
	esac

	echo " generating new host key: $typ..."
	ssh-keygen -q -f "$filename" -N '' -t "$typ" -b "$bits"
done

ssh-keygen -A
