#!/bin/sh
# Generate secure SSH host keys with proper permissions

set -e

SSH_DIR="/etc/ssh"
KEY_PERMS="600"
DIR_PERMS="700"

echo "[*] Removing old host keys..."
rm -f $SSH_DIR/ssh_host_*

echo "[*] Generating new secure host keys..."

# Generate Ed25519 key (preferred)
ssh-keygen -t ed25519 -f $SSH_DIR/ssh_host_ed25519_key -N "" -C ""

# Generate RSA key with 4096 bits
ssh-keygen -t rsa -b 4096 -f $SSH_DIR/ssh_host_rsa_key -N "" -C ""

echo "[*] Setting secure permissions..."
chmod $KEY_PERMS $SSH_DIR/ssh_host_*
chmod $DIR_PERMS $SSH_DIR

echo "[*] Filtering moduli for safe DH groups..."
if [ -f $SSH_DIR/moduli ]; then
    awk '$5 >= 3071' $SSH_DIR/moduli > $SSH_DIR/moduli.safe
    mv $SSH_DIR/moduli.safe $SSH_DIR/moduli
    chmod 644 $SSH_DIR/moduli
fi

echo "[+] Secure host keys generated successfully"
echo "[+] Keys are configured with hardened algorithms by default"