#!/bin/sh -e
#
# Univention SSH
#  Create new OpenSSH hosts keys
#
# SPDX-FileCopyrightText: 2004-2025 Univention GmbH
# SPDX-License-Identifier: AGPL-3.0-only

die () {
	echo "For $typ: $*." >&2
	echo "Continuing..."
	continue
}

dir="/var/univention-backup/ssh-$(date '+%F_%T')"
echo "Storing backup copy in ${dir}..."
mkdir -p "$dir"
find /etc/ssh -maxdepth 1 -name 'ssh_host*_key*' -execdir mv -t "$dir" -n -v {} +

echo "Recreating SSH host keys..."
ucr search --brief --non-empty '^sshd/HostKey/[^/]+$' |
while IFS=': ' read key bits
do
	typ="${key#sshd/HostKey/}"
	case "$bits" in
	""|0) echo " skipping $typ" ; continue ;;
	esac

	filename="/etc/ssh/ssh_host_${typ}_key"
	case "$typ" in
	rsa1) filename='/etc/ssh/ssh_host_key'; [ "$bits" -ge 768 ] || die "minimum 768" ;;
	dsa) [ "$bits" -eq 1024 ] || die "only 1024" ;;
	ed25519) [ -z "$bits" ] || die "ignored" ;;
	rsa) [ "$bits" -ge 768 ] || die "minimum 768" ;;
	ecdsa) [ "$bits" -eq 256 ] || [ "$bits" -eq 384 ] || [ "$bits" -eq 521 ] || die "only 256, 384 or 521" ;;
	*) echo "Unknown type: '$typ'" >&2 ; continue ;;
	esac

	echo " generating new host key: $typ..."
	ssh-keygen -q -f "$filename" -N '' -t "$typ" -b "$bits"
done

ssh-keygen -A
