#!/bin/sh
#
#    Copyright (c) 1996-2012 Brocade Communications Systems, Inc.
#    All rights reserved.
#
# This shell updates /etc/sshd_config
# Usage: sshdConfigUpdate.sh KexAlgorithms 1
# 1 - Sets the Key Exchange Algorithm to DH Group 14
# 0 - Sets the Key Exchange Algorithm to default

# Commands
GREP=/bin/grep
SED=/bin/sed
CAT=/bin/cat
ECHO=/bin/echo
RM=/bin/rm
AWK=/bin/awk
PS=/bin/ps
MV=/bin/mv
FIND=/usr/bin/find
CONFIG=/fabos/cliexec/config
SSHD_CONFIG_FILE=/etc/sshd_config
SSH_CONFIG_FILE=/etc/ssh_config
TMP_SSHD_CONFIG_FILE=$SSHD_CONFIG_FILE.tmp
TMP_SSH_CONFIG_FILE=$SSH_CONFIG_FILE.tmp
SSHD=/usr/sbin/sshd
CERT_DIR=/etc/fabos/certs

#Check for FIPS mode
checkFipsMode() {
    	# "config get" for fips mode returns value only if called from
   	# default VF. So, temporarily set FABOS_SWITCHNO to 0 and then
    	# revert it back to its original value after "config get"
    	FABOS_SWITCHNO_TEMP=$FABOS_SWITCHNO
    	FABOS_SWITCHNO=0
    	retVal1=`/fabos/cliexec/config get fips.mode 2`
    	retVal2=`/fabos/cliexec/config get fips.simulate 2`
    	FABOS_SWITCHNO=$FABOS_SWITCHNO_TEMP
	retVal=0

	if [ $retVal1 -eq 1 ]; then
		return $retVal1
	elif [ $retVal2 -eq 1 ];  then
		return $retVal2
	else 
		return $retVal
	fi

}


#
# Print the usage of this utility
#
usage() {
	return 1
	$ECHO
	$ECHO "Usage:"
	$ECHO "sshdconfigupdate KexAlgorithms [0|1]"
	$ECHO "sshdconfigupdate MinPrime [0|1]"
	$ECHO "sshdconfigupdate ServerHostKeySize [0|1]"
	$ECHO "sshdconfigupdate RekeyLimit [0|900-3600]" #RekeyInterval cli not supported in FOS
	$ECHO
}

if [ $# -eq 0 ] || [ $# -gt 2 ]; then
	ret=1
	if [ "$1" == "ServerHostKeySize" ] && [ "$3" == "fipscfg" ] ; then
		ret=0
	fi

	if [ $ret == 1 ]; then
		$ECHO "error: Incorrect usage"
		usage
		exit 1
	fi
fi

if [ "$1" != "KexAlgorithms" ] && [ "$1" != "RekeyLimit" ] && [ "$1" != "ServerHostKeySize" ] && [ "$1" != "MinPrime" ]  \
	&& [ "$1" != "delrsakeys" ]; then
	$ECHO "error: Incorrect usage"
	usage
	exit 1
fi

#if [ $2 -ne 2 ] && [ $2 -ne 1 ] && [ $2 -ne 0 ] && [ "$2" -lt 900 -o "$2" -gt 3600 ]; then #Rekeyinterval is not supported in FOS
if [ $# -gt 1 ] && [ "$2" != 2 ] && [ "$2" != 1 ] && [ "$2" != 0 ] && [ "$2" -lt 900 -o "$2" -gt 3600 ]; then
	$ECHO "error: Incorrect usage"
	usage
	exit 1
fi


# Edit /etc/sshd_config, looking for lines which refer to the first parameter
update_sshd_config(){
	umask 022
	ARG=${1//\//\\/}	# Replace / with \/ in $1 and assign to ARG
if [ $ARG = "KexAlgorithms" ] ; then
  if [ $fipsMode -eq 0 ]; then	 # Don't allow modification of KexAlgorithms in FIPS mode
	if $GREP "^$1" $SSHD_CONFIG_FILE >/dev/null ; then
		if [ "$2" == 0 ] ; then
			$SED -e "s/^$ARG/#&/" $SSHD_CONFIG_FILE > $TMP_SSHD_CONFIG_FILE &&
			$CAT $TMP_SSHD_CONFIG_FILE > $SSHD_CONFIG_FILE
			$RM -f $TMP_SSHD_CONFIG_FILE
			$ECHO "Updated $SSHD_CONFIG_FILE to restore SSH $1 to default"
			$CONFIG save $SSHD_CONFIG_FILE
		fi
	elif $GREP "^#$1" $SSHD_CONFIG_FILE >/dev/null ; then
		if [ "$2" == 1 ] ; then
			$SED -e "/^#$ARG/s/#//" $SSHD_CONFIG_FILE > $TMP_SSHD_CONFIG_FILE &&
			$CAT $TMP_SSHD_CONFIG_FILE > $SSHD_CONFIG_FILE
			$RM -f $TMP_SSHD_CONFIG_FILE
			$ECHO "Updated $SSHD_CONFIG_FILE to set SSH $1 to DH Group 14"
			$CONFIG save $SSHD_CONFIG_FILE
		fi
	else
		if [ "$2" == 1 ]; then
			echo >> $SSHD_CONFIG_FILE
			echo "# Supported Key Exchange Algorithms (KexAlgorithms)" >> $SSHD_CONFIG_FILE
			echo "KexAlgorithms diffie-hellman-group14-sha1" >> $SSHD_CONFIG_FILE
			$CONFIG save $SSHD_CONFIG_FILE
		fi
	fi
    # Edit /ssh_config to add/comment KexAlgorithm
    if $GREP "^$KEX_ALGO" $SSH_CONFIG_FILE >/dev/null ; then
        if [ "$2" == 0 ] ; then
            $SED -e "s/^$KEX_ALGO/#&/" $SSH_CONFIG_FILE > $TMP_SSH_CONFIG_FILE &&
            $CAT $TMP_SSH_CONFIG_FILE > $SSH_CONFIG_FILE
            $RM -f $TMP_SSH_CONFIG_FILE
            $CONFIG save $SSH_CONFIG_FILE
        fi
    elif $GREP "^#$KEX_ALGO" $SSH_CONFIG_FILE >/dev/null ; then
        if [ "$2" == 1 ] ; then
            $SED -e "/^#$KEX_ALGO/s/#//" $SSH_CONFIG_FILE > $TMP_SSH_CONFIG_FILE &&
            $CAT $TMP_SSH_CONFIG_FILE > $SSH_CONFIG_FILE
            $RM -f $TMP_SSH_CONFIG_FILE
            $CONFIG save $SSH_CONFIG_FILE
        fi
    else
        if [ "$2" == 1 ]; then
            echo >> $SSH_CONFIG_FILE
            echo "# Supported Key Exchange Algorithms (KexAlgorithms)" >> $SSH_CONFIG_FILE
            echo "KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" >> $SSH_CONFIG_FILE
            $CONFIG save $SSH_CONFIG_FILE
        fi
    fi
  fi	
elif [ $ARG = "ServerHostKeySize" ] ; then
   	if $GREP "^$1" $SSH_CONFIG_FILE >/dev/null ; then
        if [ "$2" == 0 ] ; then
            $SED -e "s/^$ARG/#&/" $SSH_CONFIG_FILE > $TMP_SSH_CONFIG_FILE &&
            $CAT $TMP_SSH_CONFIG_FILE > $SSH_CONFIG_FILE
            $RM -f $TMP_SSH_CONFIG_FILE
            $CONFIG save $SSH_CONFIG_FILE
        fi
    elif $GREP "^#$1" $SSH_CONFIG_FILE >/dev/null ; then
        if [ "$2" == 1 ] ; then
            $SED -e "/^#$ARG/s/#//" $SSH_CONFIG_FILE > $TMP_SSH_CONFIG_FILE &&
            $CAT $TMP_SSH_CONFIG_FILE > $SSH_CONFIG_FILE
            $RM -f $TMP_SSH_CONFIG_FILE
            $CONFIG save $SSH_CONFIG_FILE
        fi
    else
        if [ "$2" == 1 ]; then
            echo >> $SSH_CONFIG_FILE
            echo "# Supported ServerHostKeySize 2048" >> $SSH_CONFIG_FILE
            echo "ServerHostKeySize 2048" >> $SSH_CONFIG_FILE
            $CONFIG save $SSH_CONFIG_FILE
        fi
    fi
		    /bin/chmod 600 $SSHD_CONFIG_FILE
		    /bin/chmod 600 $SSHD_CONFIG_FILE
		    /bin/chmod 600 $SSHD_CONFIG_FILE
		    /bin/chmod 600 $SSHD_CONFIG_FILE
		    /bin/chmod 600 $SSH_CONFIG_FILE
		    /bin/chmod 600 $SSH_CONFIG_FILE
		    /bin/chmod 600 $SSH_CONFIG_FILE
		    /bin/chmod 600 $SSH_CONFIG_FILE
elif [ $ARG = "MinPrime" ] ; then
    if $GREP "^$1" $SSH_CONFIG_FILE >/dev/null ; then
        if [ "$2" == 0 ] ; then
            $SED -e "s/^$ARG/#&/" $SSH_CONFIG_FILE > $TMP_SSH_CONFIG_FILE &&
            $CAT $TMP_SSH_CONFIG_FILE > $SSH_CONFIG_FILE
            $RM -f $TMP_SSH_CONFIG_FILE
            $CONFIG save $SSH_CONFIG_FILE
        fi
    elif $GREP "^#$1" $SSH_CONFIG_FILE >/dev/null ; then
        if [ "$2" == 1 ] ; then
            $SED -e "/^#$ARG/s/#//" $SSH_CONFIG_FILE > $TMP_SSH_CONFIG_FILE &&
            $CAT $TMP_SSH_CONFIG_FILE > $SSH_CONFIG_FILE
            $RM -f $TMP_SSH_CONFIG_FILE
            $CONFIG save $SSH_CONFIG_FILE
        fi
    else
        if [ "$2" == 1 ]; then
            echo >> $SSH_CONFIG_FILE
            echo "# Supported MinPrime 2048" >> $SSH_CONFIG_FILE
            echo "MinPrime 2048" >> $SSH_CONFIG_FILE
            $CONFIG save $SSH_CONFIG_FILE
    	fi
	fi
    if $GREP "^$1" $SSHD_CONFIG_FILE >/dev/null ; then
        if [ "$2" == 0 ] ; then
            $SED -e "s/^$ARG/#&/" $SSHD_CONFIG_FILE > $TMP_SSHD_CONFIG_FILE &&
            $CAT $TMP_SSHD_CONFIG_FILE > $SSHD_CONFIG_FILE
            $RM -f $TMP_SSHD_CONFIG_FILE
            $CONFIG save $SSHD_CONFIG_FILE
		fi
    elif $GREP "^#$1" $SSHD_CONFIG_FILE >/dev/null ; then
        if [ "$2" == 1 ] ; then
            $SED -e "/^#$ARG/s/#//" $SSHD_CONFIG_FILE > $TMP_SSHD_CONFIG_FILE &&
            $CAT $TMP_SSHD_CONFIG_FILE > $SSHD_CONFIG_FILE
            $RM -f $TMP_SSHD_CONFIG_FILE
            $CONFIG save $SSHD_CONFIG_FILE
		fi
    else
        if [ "$2" == 1 ]; then
            echo >> $SSHD_CONFIG_FILE
            echo "# Supported MinPrime 2048" >> $SSHD_CONFIG_FILE
            echo "MinPrime 2048" >> $SSHD_CONFIG_FILE
            $CONFIG save $SSHD_CONFIG_FILE
    	fi
	fi
elif [ $ARG = "delrsakeys" ] ; then
        cd $CERT_DIR
	filelist=`$FIND . -name "*id_rsa"`; for i in $filelist; do $CAT /dev/null > $i; done
	filelist=`$FIND . -name "*id_rsa.pub"`; for i in $filelist; do $CAT /dev/null > $i; done

        cd /mnt/$CERT_DIR
	filelist=`$FIND . -name "*id_rsa"`; for i in $filelist; do $CAT /dev/null > $i; done
	filelist=`$FIND . -name "*id_rsa.pub"`; for i in $filelist; do $CAT /dev/null > $i; done
elif [ $ARG = "RekeyLimit" ] ; then
        if [ $# -ne 2 ]
        then
                usage
                exit 1
        fi
	timeoption=$2
	if $GREP "$1" $SSHD_CONFIG_FILE >/dev/null ; then
		if [ "$2" == 0 ] ; then
			$SED -e "s/^$ARG/#&/" $SSHD_CONFIG_FILE > $TMP_SSHD_CONFIG_FILE &&
			$CAT $TMP_SSHD_CONFIG_FILE > $SSHD_CONFIG_FILE
			$RM -f $TMP_SSHD_CONFIG_FILE
			$ECHO "Updated $SSHD_CONFIG_FILE to restore SSH $1 to default"
			$CONFIG save $SSHD_CONFIG_FILE
		elif [ "$2" -ge 900 -a "$2" -le 3600 ] ; then
			$SED -e  "s/.*$ARG.*/$ARG default $2/" $SSHD_CONFIG_FILE > $TMP_SSHD_CONFIG_FILE &&
			$CAT $TMP_SSHD_CONFIG_FILE > $SSHD_CONFIG_FILE
			$RM -f $TMP_SSHD_CONFIG_FILE
			$ECHO "Updated $SSHD_CONFIG_FILE to set SSH $1 to $2"
			$CONFIG save $SSHD_CONFIG_FILE
		else
			$ECHO "error: Incorrect usage"
			usage
			exit 1	
		fi
	else
		if [ "$2" -ge 900 -a "$2" -le 3600 ] ; then
 			$ECHO >> $SSHD_CONFIG_FILE
 			$ECHO "$ARG default $2" >> $SSHD_CONFIG_FILE
			$CONFIG save $SSHD_CONFIG_FILE
		elif [ "$2" != 0 ] ; then
			$ECHO "error: Incorrect usage"
			usage
			exit 1		
		fi
	fi
fi
}

# Update Telnet in inetd.conf as neccessary
update_sshd_config $1 $2

if [ "$1" == "ServerHostKeySize" ]; then

	if [ "$3" != "postinst" ] || [ "$3" == "fipscfg" ]; then
	    # Restart sshd.
    	pid=`$PS -ef | $GREP -w "sshd" | $GREP -v "sshd:" | $GREP -v $GREP | $GREP -iv "sshdconfigupdate" | $AWK '{print $2}'`

	    if [ -n "$pid" ]; then
			kill $pid
	    fi

	# "config get" for fips mode returns value only if called from
	# default VF. So, temporarily set FABOS_SWITCHNO to 0 and then 
	# revert it back to its original value after "config get"
	checkFipsMode
	retVal=$?
	if [ $retVal -eq 1 ]; then 
    		$SSHD >/dev/null 2>&1
	else
    		$SSHD >/dev/null 2>&1
	fi

	    pid=`$PS -ef | $GREP -w "sshd" | $GREP -v "sshd:" | $GREP -v $GREP | $GREP -iv "sshdconfigupdate" | $AWK '{print $2}'`

    	if [ -z "$pid" ]; then
        	exit 1
		fi
    fi
fi

exit 0
