#!/bin/sh
#
#    Copyright (c) 2006-2008 Brocade Communications Systems, Inc.
#    All rights reserved.
#
#    File name:   secInternalScript
#    Module name: fabos/src/security/ecInternalScript.sh
#
#    This script contains the internal options for various script/binaries.
#
export PATH=/fabos/sbin:/fabos/bin:/bin:/usr/bin:/sbin:/fabos/cliexec
export OPENSSL_CONF=/etc/fabos/openssl.cnf

############################
# commands
############################
MV="/bin/mv"
MKDIR="/bin/mkdir"
TOUCH="/bin/touch"
CP="/bin/cp"
RM=/bin/rm
LS=/bin/ls
LL="/bin/ls -l"
CUT="/usr/bin/cut"
EXPR="/fabos/bin/expr"
HOSTNAME="/bin/hostname"
WWN="/fabos/bin/wwn"
SED="/bin/sed"
AWK="/bin/awk"
GREP="/bin/grep"
CAT=/bin/cat
TR=/usr/bin/tr
XARGS=/usr/bin/xargs
OPENSSL_CMD=/usr/bin/openssl
SSHD=/usr/sbin/sshd
GREP=/fabos/bin/grep
HASHOW=/fabos/sbin/hashow
PS="/bin/ps"
AWK="/bin/awk"
ECHO="/bin/echo"
restCaller=`echo $GEPS_APP_NAME`

###########################
#Variables
###########################
switchIPv6=0
# File locations and suffixes
ROOT_DIR=/etc/fabos
CERT_DIR=$ROOT_DIR/certs/sw0
CMM_DIR=$ROOT_DIR/certs/cmm
CSR_SUFFIX=.csr
PSK_SUFFIX=.psk
CAP_PPH_SUFFIX=.pp 
PVT_KEY=pvt_key 
PVT_KEY_FILE=$CERT_DIR/$PVT_KEY
CONFIG_FILE=$ROOT_DIR/openssl.cnf
CSR_GEN_INFO=/tmp/csr_gen_info
DSA_PARAMS_FILE=dsaparam.pem

##############################
# Internal Command options
##############################
CERT_FIPS_COMPL=fips_compl
UPDATE_ALLOWED_LOGIN=updateallowedlogin
DEL_USR_PUBKEY=delusrpubkey
DEL_HOST_KEY=deletehostkey
SSH_HOSTKEY_SIZE_CHECK=hostkeysizecheck
ZEROIZE_KNOWN_HOST=zeroizeknownhost
FACTORY_RESET_SESS=factoryreset
DEL_CERTIFICATES=delcert

PRIVKEY_DIR=/root/.ssh
PRIVKEY_FILE_OLD=id_dsa
PRIVKEY_FILE=id_rsa
IMPORT_PUBKEY_DIR=/fabos/users/admin/.ssh
IMPORT_PUBKEY_FILE=authorized_keys

HOST_KEY_DIR=/etc
MNT_HOST_KEY_DIR=/mnt/etc
HOST_DSA_KEY=ssh_host_dsa_key
HOST_RSA_KEY=ssh_host_rsa_key
HOST_ECDSA_KEY=ssh_host_ecdsa_key
PUB_SUFFIX=.pub

#SSHD config file
SSHD_CONFIG=/etc/sshd_config
SSHD=/usr/sbin/sshd

# local variables for convenience
CERT_FILE=certificate
CSR_FILE=CSR
CSR_FILE_PATH=$CERT_DIR/$switchIp$CSR_SUFFIX
FILE_NAME="file_name"
fileType=
userInput=
response=
country=
state=
cn=
cmmCertFile=
userName=
password1=
WEBDHANDLER=/fabos/libexec/webdcfghandler
WEBLNOTIFY=/fabos/libexec/weblnotify
HTTPCONFIG=http.ssl.enabled
CERTCONFIG=ssl.certfile
ROOTCERTCONFIG=ssl.root.certfile
DEFAULTROOTCERTCONFIG="none"
CERT_DELE=delete

# LDAP definitions
LDAP_DIR=$ROOT_DIR/certs/ldap
LDAP_CACERT_FILE="swLdapca.pem"
LDAP_SWCERT_FILE="swLdapcert.pem"

#RADIUS definitions
RADIUS_DIR=$ROOT_DIR/certs/radius
RADIUS_CACERT_FILE="swRadca.pem"
RADIUS_SWCERT_FILE="swRadcert.pem"

#Extn definitions
EXTN_DIR=$ROOT_DIR/certs/extn

#Kafka definitions
KAFKA_DIR=$ROOT_DIR/certs/kafka

# ASC CA definitions
ASC="asc"
ASC_DIR=/etc/fabos/certs/asc
ASC_DIR_CACERT_CURL=/etc/fabos/certs/asc/curl
ASC_DIR_CACERT_CURL_MNT=/mnt/etc/fabos/certs/asc/curl
ASC_CACERT_FILE="cacert.pem"
ASC_CACERT_ACT_FILE="ca-active.pem"

# To be changed based on what password to use or to read from file
# instead of stdin
RANDOM_NUMBER=`$OPENSSL_CMD rand -base64 16`

# FCAP definations
FCAP_DIR=$ROOT_DIR/pki/tp
FCAP_CACERT_FILE="switch.0.rootcrt"
FCAP_SWCERT_FILE="switch.0.crt"
FCAP_SWCSR_FILE="switch.0.csr"
FCAP_SWPPH_FILE="switch.0.pp"
FCAP_SWPRVKEY_FILE="switch.0.key"
FCAP_CERT_CONF_FILE="cert.conf" 
FCAP_TOUCH_FILE="fcap.cert"

# SYSLOG CA definitions
SYSLOG_DIR=/etc/syslog-ng/ca.d
SYSLOG_DIR_MNT=/mnt/etc/syslog-ng/ca.d
SYSLOG_CACERT_FILE="ca.pem"
SYSLOG_SWCERT_FILE="syslogswcert.pem"
SYSLOG_LINK_HASH="syslog_link_hash"

# Known host defintions
KNOWN_HOST_DIR=.ssh
KNOWN_HOST_FILE=known_hosts

#Factory Reset definitions
LOC_FILE='/tmp/factory_reset'

#Exit for trapped signals
trap 'exit 1' SIGINT


############################################
# Internal Functions and Processing
############################################
allowlogin=`cat $SSHD_CONFIG|grep -i "AllowedLogin" |\
         grep -v "#" |cut -d" " -f2`

spaces=${allowlogin##*[! ]} ## get the trailing blanks in var $spaces

allowlogin=`echo ${allowlogin#$spaces}`

sshdAllowUserUpdate() {
        sed "/AllowedLogin/s/$allowlogin/$1/" $SSHD_CONFIG > tmp
        cat tmp > $SSHD_CONFIG
        rm tmp
        config save $SSHD_CONFIG

        # Restart sshd.
        pid=`ps -ef | $GREP "sshd" | $GREP -v "sshd:" | \
                $GREP -v "sshd_config" | $GREP -v grep|$AWK '{print $2}'`
        if [ -n "$pid" ]; then
                kill $pid
        fi
        $SSHD
}

delUsrPubKeyFile() {

        # Delete all the public keys for the user.
        cat /dev/null > $IMPORT_PUBKEY_DIR/$IMPORT_PUBKEY_FILE.$2
        rm -f $IMPORT_PUBKEY_DIR/$IMPORT_PUBKEY_FILE.$2

        # Also on secondary partition of active
        cat /dev/null > $MNT_IMPORT_PUBKEY_DIR/$IMPORT_PUBKEY_FILE.$2
        rm -f $MNT_IMPORT_PUBKEY_DIR/$IMPORT_PUBKEY_FILE.$2

        if [ "$2" == "$allowlogin" ]; then
                cat /dev/null > $IMPORT_PUBKEY_DIR/$IMPORT_PUBKEY_FILE
                # if "userconfig" deleting the user, default the allowed user to admin
                if [ $1 == DEL_USR_PUBKEY ]; then
                        if [ -f $IMPORT_PUBKEY_DIR/$IMPORT_PUBKEY_FILE.admin ]; then
                                cp $IMPORT_PUBKEY_DIR/$IMPORT_PUBKEY_FILE.admin \
                                                 $IMPORT_PUBKEY_DIR/$IMPORT_PUBKEY_FILE
                        fi
                        sshdAllowUserUpdate admin
                fi
                config save $IMPORT_PUBKEY_DIR/$IMPORT_PUBKEY_FILE
        fi

        # if this was the last authorized_keys.*,
        # we set authorizedKeys.tar with blank
        ls $IMPORT_PUBKEY_DIR/$IMPORT_PUBKEY_FILE.* 1> /dev/null 2> /dev/null
        if [ $? -eq 0 ]; then
                cd $IMPORT_PUBKEY_DIR
                tar -cf authorizedKeys.tar $IMPORT_PUBKEY_FILE.*
                cd -
        else
                if [ -f $IMPORT_PUBKEY_DIR/authorizedKeys.tar ]; then
                        cat /dev/null > $IMPORT_PUBKEY_DIR/authorizedKeys.tar
                fi
        fi

        config save $IMPORT_PUBKEY_DIR/authorizedKeys.tar

}

caCertComplTest() {
	i=1
	ret=0

	while read line
	do
		echo "$line" >> tmp_fips_$i
		echo $line | grep END > /dev/null 2>&1
		if [ $? = 0 ]; then
			i=`expr $i + 1`
		fi
	done < $1

	j=1
	while [ "$j" -lt "$i" ]
	do
		$OPENSSL_CMD x509 -in tmp_fips_$j -text -noout | \
			grep "Key" | grep 2048 > /dev/null 2>&1
		if [ $? != 0 ]; then
			echo "Key size of $2 is not 2048 bits"
			ret=1

		fi
		$OPENSSL_CMD x509 -in tmp_fips_$j -text -noout | \
			grep "Signature Algorithm" | grep sha256 > /dev/null 2>&1
		if [ $? != 0 ]; then
			echo "Signature Algorithm used in $2 is not Sha256"
			ret=1
		fi
		j=`expr $j + 1`
	done
	j=1
	while [ "$j" -lt "$i" ]
	do
		$RM -rf tmp_fips_$j > /dev/null
		j=`expr $j + 1`
	done
	return $ret
} 

get_session_list()
{
	SessionsCount=0
	typeset -i i=0
	/usr/bin/w -f > ${LOC_FILE}

	{
		read uptime_details
		read column_headers
		while read u_a[$i] t_a[$i] f_a[$i] l_a[$i] i_a[$i] j_a[$i] p_a[$i] c_a[$i]
		do
			i=i+1
		done
	} < ${LOC_FILE}
	SessionsCount=$i
}

get_shell_pid()
{
	devptsnode=$1
	sh_pid=-1
	/sbin/fuser -v $devptsnode > ${LOC_FILE} 2>/dev/null
	for pid in $($CAT ${LOC_FILE})
	do
		if [[ ! -z $pid ]]
		then
			pname=`$CAT "/proc/$pid/status" | $GREP "Name:" | $CUT -d ':' -s -f2`
			if [ $pname == "sh" ]
			then
				# Make sure parent of shell is either sshd or telnet to get. Otherwise,
				# will end up in killing wrong process
				ppid=`$CAT /proc/$pid/status | $GREP "PPid:" | $CUT -d ':' -s -f2 | $TR -s " " | $XARGS`
				ppname=`$CAT /proc/$ppid/status | $GREP "Name:" | $CUT -d ':' -s -f2 | $TR -s " " | $XARGS`
				if [[ $ppname == "in.telnetd" || $ppname == "sshd" || $ppname == "login" ]]
				then
					sh_pid=$pid
					break
				fi
			fi	
		fi	
	done
	echo $sh_pid
	
}

kill_session()
{
	typeset -i i=0
	while [ $i -lt "$SessionsCount" ]
	do
		if [ ${t_a[i]} != $cur_term ]
		then
			devptsnode="/dev/${t_a[i]}"
			sh_pid=`get_shell_pid $devptsnode`
			if [ $sh_pid != -1 ]
			then
				/bin/kill -9 $sh_pid 1>/dev/null 2>&1
			else
				/sbin/fuser -k -9 $devptsnode 1>/dev/null 2>&1
			fi
		fi	
		i=i+1
	done
}

getSwichId() {
	DEFAULT_SW_FID=128
	VID_TEMP=0
						 
	if [ ! -e /fabos/link_sbin/lscfg_test ]
	then
		/bin/ln -s /fabos/cliexec/lscfg_util /fabos/link_sbin/lscfg_test 2> /dev/null		 
	fi

	if [ "$(lscfg_test --vf_enabled 2> /dev/null)" = 'VF is enabled.' ]; then 
		if [ "$1" == "default" ]; then
			VID_TEMP=`lscfg_test --fid 0 2> /dev/null`
		elif [ "$1" == "logical" ]; then
			VID_TEMP=`printenv | $GREP CURRENT_VF | cut -d"=" -f2`
		fi
	else
		VF_ENABLED=0
	fi
	
	if [ -e /fabos/link_sbin/lscfg_test ]; then
		$RM /fabos/link_sbin/lscfg_test 2> /dev/null
	fi

	return $VID_TEMP
}

setcontext()
{
	if [ "$1" != "chassis" ]; then
		# 261476: in case set_switch_env() return code is -1 
		SW_CONTEXT_RC=`/fabos/cliexec/lscfg_util --switch $1 2> /dev/null`
		if [[ ! -z $restCaller ]] && [[ "$SW_CONTEXT_RC" == -1 ]]; then
			if [ ! -e /fabos/link_sbin/lscfg_test ]; then
				/bin/ln -s /fabos/cliexec/lscfg_util /fabos/link_sbin/lscfg_test 2> /dev/null		 
			fi
			eval $(lscfg_test --switch $1 2> /dev/null)
			if [ -e /fabos/link_sbin/lscfg_test ]; then
				$RM /fabos/link_sbin/lscfg_test 2> /dev/null
			fi
		else
			eval $(/fabos/cliexec/lscfg_util --switch $1 2> /dev/null)
		fi
	else
		eval $(/fabos/cliexec/lscfg_util --chassis 2> /dev/null)
	fi

	export ROLE_ID=root
} 

setDefaultContext() {
	getSwichId "logical"
	VID=$?

	if [ $VID != 0 ];then
		# This means VF is enabled.
		getSwichId "default"
		DEFAULT_VID=$?
		setcontext $DEFAULT_VID
	fi
}

syncUpFCAP() {
 
	/fabos/cliexec/config save $FCAP_DIR/$FCAP_SWCERT_FILE
	/fabos/cliexec/config save $FCAP_DIR/$FCAP_CACERT_FILE
	/fabos/cliexec/config save $FCAP_DIR/$FCAP_SWCSR_FILE
	/fabos/cliexec/config save $FCAP_DIR/$FCAP_SWPPH_FILE
	/fabos/cliexec/config save $FCAP_DIR/$FCAP_SWPRVKEY_FILE
	/fabos/cliexec/config save $FCAP_DIR/$FCAP_TOUCH_FILE
	/fabos/cliexec/config save $FCAP_DIR/$FCAP_CERT_CONF_FILE 
	/fabos/cliexec/config save $FCAP_DIR
	return 0
}	

zeroizeFiles() {
	for i in $* ; do
		if [ -e $i ]; then
			size=`/bin/ls -la $i | $AWK ' { print $5 } '`
			/bin/dd if=/dev/zero of=$i bs=1 count=$size 2> /dev/null
			$CAT /dev/null > $i
			/fabos/cliexec/config save $i
		fi
	done
}

deleteFiles() {

	for i in $* ; do
		if [ -e "$i" ]; then
			size=`/bin/ls -la $i | $AWK ' { print $5 } '`
			/bin/dd if=/dev/zero of=$i bs=1 count=$size 2> /dev/null
			$RM -rf $i > /dev/null
			/fabos/cliexec/config save $i
		fi
	done
	return 0
}

resetSSLState() {

	/fabos/cliexec/config set $ROOTCERTCONFIG 5 none
	/fabos/cliexec/config set $CERTCONFIG 5 none
	# set http ssl state only if it is already enabled
	isHttpsEnabled=`/fabos/cliexec/config get $HTTPCONFIG 1`
	if [ "$isHttpsEnabled" == 1 ]; then
		# reset secure protocols, overwrite previous value
		/fabos/cliexec/config set $HTTPCONFIG 1 0
		# notify secure apps
		$WEBDHANDLER $HTTPCONFIG:0
	fi
	/fabos/cliexec/config update
}

cleanup_certs()
{
	dir=$1
	file=`$LS $dir/*  2> /dev/null`
	if [ ! -z "$file" ]; then
		for i in $file
		do
			deleteFiles $file
		done
	fi
}

cleanup_radius_certs()
{
	$ECHO "Removing all Radius Keys/Certificates"
	cleanup_certs "$RADIUS_DIR"
	/fabos/cliexec/config save "$RADIUS_DIR"
}

cleanup_ldap_certs()
{
	$ECHO "Removing all LDAP Keys/Certificates"
	cleanup_certs "$LDAP_DIR"
	/fabos/cliexec/config save "$LDAP_DIR"
}

cleanup_extn_certs()
{
	$ECHO "Removing all IP-extension Keys/Certificates"
	cleanup_certs "$EXTN_DIR"
	/fabos/cliexec/config save "$EXTN_DIR"
}

cleanup_kafka_certs()
{
	$ECHO "Removing all Kafka Keys/Certificates"
	cleanup_certs "$KAFKA_DIR"
	/fabos/cliexec/config save "$KAFKA_DIR"
}

cleanup_asc_certs()
{
	$ECHO "Removing all ASC Keys/Certificates"
	deleteFiles 0 "$ASC_DIR/$ASC_CACERT_FILE"
	deleteFiles 0 "$ASC_DIR_CACERT_CURL/$ASC_CACERT_ACT_FILE"
	deleteFiles 0 "$ASC_DIR_CACERT_CURL_MNT/$ASC_CACERT_ACT_FILE"


	/fabos/cliexec/config save $ASC_DIR
	/fabos/cliexec/config save $ASC_DIR_CACERT_CURL
	/fabos/cliexec/config update

	$WEBLNOTIFY $ASC:$CERT_DELE
}

cleanup_syslog_certs()
{
	$ECHO "Removing all Syslog-ng Keys/Certificates"
	cleanup_certs "$SYSLOG_DIR"
	$RM -rf $SYSLOG_DIR_MNT/* 2> /dev/null
	/fabos/cliexec/config save "$SYSLOG_DIR"
}

cleanup_https_certs()
{
	$ECHO "Removing all HTTPS Keys/Certificates"
	setDefaultContext
	cleanup_certs "$CERT_DIR"
	resetSSLState
	/fabos/cliexec/config save "$CERT_DIR"
	if [ $VID != 0 ];then
		setcontext $VID
	fi
}

cleanup_fcap_certs()
{
	$ECHO "Removing all FCAP Keys/Certificates"
	setDefaultContext

	# /usr/bin/yes | /fabos/cliexec/pkiremove --fcap	> /dev/null 2>&1
	# TR000327481 above 'yes' bin was running infinitely
	# after pkiremove exits. So replaced with ECHO cmd.
	$ECHO "y" | /fabos/cliexec/pkiremove --fcap > /dev/null 2>&1
	$CAT /dev/null > $FCAP_DIR/$FCAP_CERT_CONF_FILE
	$ECHO "ROOT_CA_CERTIFICATES:0" > $FCAP_DIR/$FCAP_CERT_CONF_FILE
	zeroizeFiles $FCAP_DIR/$FCAP_TOUCH_FILE
	syncUpFCAP
	if [ $VID != 0 ];then
		setcontext $VID
	fi
}

################################################
#	MAIN EXECUTION AND CASE FOR COMMANDS 
################################################
# convert option to all lower case
cmd_option=`echo $1 | tr "[:upper:]" "[:lower:]"`
case "$cmd_option" in
$CERT_FIPS_COMPL )
	fips_compl_ret=0
	# check for ldap ca and switch certificate compliance
	if [ -e "$LDAP_DIR/$LDAP_CACERT_FILE" ]; then
		caCertComplTest "$LDAP_DIR/$LDAP_CACERT_FILE" \
			"LDAP CA certificate"
		temp=$?
		if [ $temp -ne 0 ];then
			fips_compl_ret=$temp
		fi
	fi

    if [ -e "$LDAP_DIR/$LDAP_SWCERT_FILE" ]; then
        caCertComplTest "$LDAP_DIR/$LDAP_SWCERT_FILE" \
            "LDAP switch certificate"
        temp=$?
        if [ $temp -ne 0 ];then
            fips_compl_ret=$temp
        fi
    fi

    # check for radius ca and sw certificate compliance
    if [ -e "$RADIUS_DIR/$RADIUS_CACERT_FILE" ]; then
        caCertComplTest "$RADIUS_DIR/$RADIUS_CACERT_FILE" \
            "RADIUS CA certificate"
        temp=$?
        if [ $temp -ne 0 ];then
            fips_compl_ret=$temp
        fi
    fi

    if [ -e "$RADIUS_DIR/$RADIUS_SWCERT_FILE" ]; then
        caCertComplTest "$RADIUS_DIR/$RADIUS_SWCERT_FILE" \
            "RADIUS switch certificate"
        temp=$?
        if [ $temp -ne 0 ];then
            fips_compl_ret=$temp
        fi
    fi


	# check for HTTPS switch and ca certificate compliance
	cacert=`config get $ROOTCERTCONFIG 5 2> /dev/null`
	if [ "$DEFAULTROOTCERTCONFIG" != "$cacert" ] &&
		[ ! -z "$cacert" ]; then
		caCertComplTest "$CERT_DIR/$cacert" "Switch CA certificate"
		temp=$?
		if [ $temp -ne 0 ];then
			fips_compl_ret=$temp
		fi
	fi

	httpSEnabled=`config get $HTTPCONFIG 1`
	if [ "$httpSEnabled" == 1 ]; then
		httpsCert=`config get $CERTCONFIG 5`
		caCertComplTest "$CERT_DIR/$httpsCert" "HTTPS certificate"
		temp=$?
		if [ $temp -ne 0 ];then
			fips_compl_ret=$temp
		fi
	fi

	# check for fcap switch and ca certificate compliance
	if [ -e "$FCAP_DIR/$FCAP_SWCERT_FILE" ]; then
		caCertComplTest "$FCAP_DIR/$FCAP_SWCERT_FILE" \
			"FCAP certificate"
		temp=$?
		if [ $temp -ne 0 ];then
			fips_compl_ret=$temp
		fi
	fi

	if [ -e "$FCAP_DIR/$FCAP_CACERT_FILE" ]; then
		caCertComplTest "$FCAP_DIR/$FCAP_CACERT_FILE" \
			"FCAP CA certificate"
		temp=$?
		if [ $temp -ne 0 ];then
			fips_compl_ret=$temp
		fi
	fi

	# check for syslog-ng ca and switch certificates compliance.
	if [ -e "$SYSLOG_DIR/$SYSLOG_CACERT_FILE" ]; then
       	caCertComplTest "$SYSLOG_DIR/$SYSLOG_CACERT_FILE" \
     	"SYSLOG-NG CA certificate"
      	temp=$?
       	if [ $temp -ne 0 ];then
         	fips_compl_ret=$temp
       	fi
	fi

    if [ -e "$SYSLOG_DIR/$SYSLOG_SWCERT_FILE" ]; then
        caCertComplTest "$SYSLOG_DIR/$SYSLOG_SWCERT_FILE" \
        "SYSLOG-NG switch certificate"
        temp=$?
        if [ $temp -ne 0 ];then
            fips_compl_ret=$temp
        fi
    fi

	exit $fips_compl_ret
;;

$SSH_HOSTKEY_SIZE_CHECK )
	if [ -e $HOST_KEY_DIR/$HOST_RSA_KEY$PUB_SUFFIX ]; then
	        var=`/usr/bin/ssh-keygen -lf $HOST_KEY_DIR/$HOST_RSA_KEY$PUB_SUFFIX | cut -c 1-4`
        	if [ $var -lt 2048 ]; then
                	exit 1
	        fi
		exit 0	
	fi
;;

"$UPDATE_ALLOWED_LOGIN" )
sshdAllowUserUpdate admin
/fabos/libexec/sshutil_notify allowuser admin
;;

# defect: DEFECT000334381
"$DEL_USR_PUBKEY" )
        # Delete the public key (if any) of the user being deleted
        # this is invoked from "userconfig" code

        # Verify  the no of input arguments before processing
        if [ $# -ne 2 ]
        then
                exit 1
        fi

        delUsrPubKeyFile DEL_USR_PUBKEY $2

;;

"$ZEROIZE_KNOWN_HOST" )
	if [ -e $KNOWN_HOST_DIR/$KNOWN_HOST_FILE ]; then
                size=`/bin/ls -la $KNOWN_HOST_DIR/$KNOWN_HOST_FILE | /bin/awk ' { print $5 } '`
                /bin/dd if=/dev/zero of=$KNOWN_HOST_DIR/$KNOWN_HOST_FILE bs=1 count=$size 2> /dev/null	

		/fabos/cliexec/config save $KNOWN_HOST_DIR/$KNOWN_HOST_FILE
	fi
;;

"$DEL_HOST_KEY" )
        if [ -e $HOST_KEY_DIR/$HOST_DSA_KEY ]; then
                size=`/bin/ls -la $HOST_KEY_DIR/$HOST_DSA_KEY | /bin/awk ' { print $5 } '`
                /bin/dd if=/dev/zero of=$HOST_KEY_DIR/$HOST_DSA_KEY bs=1 count=$size 2> /dev/null

                /bin/rm -f $HOST_KEY_DIR/$HOST_DSA_KEY
                /bin/rm -f $HOST_KEY_DIR/$HOST_DSA_KEY$PUB_SUFFIX

		fi

        if [ -e $HOST_KEY_DIR/$HOST_RSA_KEY ]; then
                size=`/bin/ls -la $HOST_KEY_DIR/$HOST_RSA_KEY | /bin/awk ' { print $5 } '`
                /bin/dd if=/dev/zero of=$HOST_KEY_DIR/$HOST_RSA_KEY bs=1 count=$size 2> /dev/null

                /bin/rm -f $HOST_KEY_DIR/$HOST_RSA_KEY
                /bin/rm -f $HOST_KEY_DIR/$HOST_RSA_KEY$PUB_SUFFIX

        fi

        if [ -e $HOST_KEY_DIR/$HOST_ECDSA_KEY ]; then
                size=`/bin/ls -la $HOST_KEY_DIR/$HOST_ECDSA_KEY | /bin/awk ' { print $5 } '`
                /bin/dd if=/dev/zero of=$HOST_KEY_DIR/$HOST_ECDSA_KEY bs=1 count=$size 2> /dev/null
                /bin/rm -f $HOST_KEY_DIR/$HOST_ECDSA_KEY
                /bin/rm -f $HOST_KEY_DIR/$HOST_ECDSA_KEY$PUB_SUFFIX

        fi


                /usr/bin/ssh-keygen -b 2048 -t rsa -f \
                $HOST_KEY_DIR/$HOST_RSA_KEY -N "" 1>/dev/null 2>/dev/null
                /bin/chmod 600 $HOST_KEY_DIR/$HOST_RSA_KEY
                /bin/chmod 600 $HOST_KEY_DIR/$HOST_RSA_KEY$PUB_SUFFIX

                /fabos/cliexec/config save $HOST_KEY_DIR/$HOST_RSA_KEY
                /fabos/cliexec/config save $HOST_KEY_DIR/$HOST_RSA_KEY$PUB_SUFFIX

                /usr/bin/ssh-keygen -b 256 -t ecdsa -f \
                $HOST_KEY_DIR/$HOST_ECDSA_KEY -N "" 1>/dev/null 2>/dev/null
                /bin/chmod 600 $HOST_KEY_DIR/$HOST_ECDSA_KEY
                /bin/chmod 600 $HOST_KEY_DIR/$HOST_ECDSA_KEY$PUB_SUFFIX

                /fabos/cliexec/config save $HOST_KEY_DIR/$HOST_ECDSA_KEY
                /fabos/cliexec/config save $HOST_KEY_DIR/$HOST_ECDSA_KEY$PUB_SUFFIX

                /usr/bin/ssh-keygen -b 1024 -t dsa -f \
                $HOST_KEY_DIR/$HOST_DSA_KEY -N "" 1>/dev/null 2>/dev/null
                /bin/chmod 600 $HOST_KEY_DIR/$HOST_DSA_KEY
                /bin/chmod 600 $HOST_KEY_DIR/$HOST_DSA_KEY$PUB_SUFFIX

                /fabos/cliexec/config save $HOST_KEY_DIR/$HOST_DSA_KEY
                /fabos/cliexec/config save $HOST_KEY_DIR/$HOST_DSA_KEY$PUB_SUFFIX

;;

"$FACTORY_RESET_SESS" )
	cur_term=`$PS | $GREP "factoryreset" | $AWK '{print $2}'`
	get_session_list
	kill_session
	rm -f $LOC_FILE
	printf "Completed successfully"
;;

"$DEL_CERTIFICATES" )
	cleanup_fcap_certs
	cleanup_radius_certs
	cleanup_ldap_certs
	cleanup_syslog_certs
	if [[ -z $restCaller ]];
	then
		cleanup_https_certs
	fi	
	cleanup_extn_certs
	cleanup_kafka_certs
	cleanup_asc_certs
;;

esac

exit 0
