#!/bin/sh
# Shellscript to replace all ssh-keys in one shot.

CONF=/etc/ssh/sshd_config
RSA=/etc/ssh/ssh_host_rsa_key
DSA=/etc/ssh/ssh_host_dsa_key
ECDSA=/etc/ssh/ssh_host_ecdsa_key
KEYGEN=ssh-keygen

# ssh-keygen parameters for each of these
# Pick a long key-length for each of them, if possible.
RSA_P='-b 8192'
DSA_P=''
ECDSA_P='-b 521'


# Don't replace SSHv1 key, it should be disabled.
# Rather, warn in case it is enabled.
if egrep -qi '^\s*Protocol\s+1' "$CONF"; then
	echo "Warning: SSHv1 is still enabled in $CONF" >&2
fi

# Generate keys for DSA, RSA and ECDSA.

if [ -f "$DSA" ]; then
	echo "Replacing DSA key at $DSA"
else
	echo "Generating new DSA key at $DSA (none present)"
fi
$KEYGEN -t dsa -f "$DSA" -N '' $DSA_P || echo Exit code: $?


if [ -f "$RSA" ]; then
	echo "Replacing RSA key at $RSA"
else
	echo "Generating new RSA key at $RSA (none present)"
fi
$KEYGEN -t rsa -f $RSA -N '' $RSA_P || echo Exit code: $?


if [ -f "$ECDSA" ]; then
	echo "Replacing ECDSA key at $ECDSA"
else
	echo "Generating new ECDSA key at $ECDSA (none present)"
fi
$KEYGEN -t ecdsa -f "$ECDSA" -N '' $ECDSA_P || echo Exit code: $?