#!/usr/local/bin/php
<?php

/*
 * Copyright (C) 2004 Scott K Ullrich
 * Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
 * Copyright (C) 2015-2016 Franco Fichtner <franco@opnsense.org>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
 * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
 * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

require_once('config.inc');
require_once("util.inc");

/* if run from a shell session, `-af' and the full path is needed */
mwexecf('/bin/pkill -af %s', '/usr/local/sbin/sshd', true);

$sshcfg = null;

if (isset($config['system']['ssh'])) {
    if (isset($config['system']['ssh']['enabled'])) {
        $sshcfg = $config['system']['ssh'];
    }
} elseif (count($argv) > 1 && $argv[1] == 'installer') {
    /* only revert to installer config when ssh is not set at all */
    $sshcfg = array('permitrootlogin' => 1, 'passwordauth' => 1);
}

if ($sshcfg === null) {
    return;
}

/* make sshd key store */
@mkdir('/conf/sshd', 0777, true);

/* make ssh home directory */
@mkdir('/var/empty', 0555, true);

/* Login related files. */
touch('/var/log/lastlog');

$keys = array(
    /* .pub files are implied */
    'rsa' => 'ssh_host_rsa_key',
    'ecdsa' => 'ssh_host_ecdsa_key',
    'ed25519' => 'ssh_host_ed25519_key',
);

$keys_dep = array(
    /* .pub files are implied */
    'dsa' => 'ssh_host_dsa_key',
);

$keys_all = array_merge($keys, $keys_dep);

/* Check for all needed key files. If any are missing, the keys need to be regenerated. */
$generate_keys = false;
foreach ($keys as $name) {
    $file = "/conf/sshd/{$name}";
    if (!file_exists($file) || !file_exists("{$file}.pub")) {
        $generate_keys = true;
        break;
    }
}

if ($generate_keys) {
    if (is_subsystem_dirty('sshdkeys')) {
        return;
    }
    log_error('Started creating your SSH keys. SSH startup is being delayed a wee bit.');
    mark_subsystem_dirty('sshdkeys');
    foreach ($keys as $type => $name) {
        $file = "/conf/sshd/{$name}";
        @unlink("{$file}.pub");
        @unlink($file);
        mwexecf('/usr/local/bin/ssh-keygen -t %s -N "" -f %s', array($type, $file));
    }
    clear_subsystem_dirty('sshdkeys');
    log_error('Completed creating your SSH keys. SSH will now be started.');
}

$sshport = isset($sshcfg['port']) ? $sshcfg['port'] : 22;

$sshconf = "# This file was automatically generated by /usr/local/etc/rc.sshd\n";
$sshconf .= "Port {$sshport}\n";
$sshconf .= "Protocol 2\n";
$sshconf .= "Compression yes\n";
$sshconf .= "ClientAliveInterval 30\n";
$sshconf .= "UseDNS no\n";
$sshconf .= "X11Forwarding no\n";
$sshconf .= "PubkeyAuthentication yes\n";
$sshconf .= "Subsystem\tsftp\tinternal-sftp\n";
if (isset($sshcfg['permitrootlogin'])) {
    $sshconf .= "PermitRootLogin yes\n";
}
if (isset($sshcfg['passwordauth'])) {
    $sshconf .= "ChallengeResponseAuthentication yes\n";
    $sshconf .= "PasswordAuthentication yes\n";
} else {
    $sshconf .= "ChallengeResponseAuthentication no\n";
    $sshconf .= "PasswordAuthentication no\n";
}
foreach ($keys_all as $name) {
    $file = "/conf/sshd/{$name}";
    if (!file_exists($file)) {
        continue;
    }
    $sshconf .= "HostKey {$file}\n";
}

/* Write the new sshd config file */
file_put_contents("/usr/local/etc/ssh/sshd_config", $sshconf);

/* Launch new server process */
echo "Reloading sshd...";
if (mwexecf('/usr/bin/protect -i /usr/local/sbin/sshd')) {
    echo "failed.\n";
} else {
    echo "done.\n";
}