#!/bin/bash

. /usr/sbin/so-common

if [[ $1 =~ ^(-q|--quiet) ]]; then
	quiet=true
elif [[ $1 =~ ^(-v|--verbose) ]]; then
	verbose=true
fi

sshd_config=/etc/ssh/sshd_config
temp_config=/tmp/sshd_config

before=
after=
reload_required=false
change_header_printed=false

check_sshd_t() {
	local string=$1

	local grep_out
	grep_out=$(sshd -T | grep "^${string}")

	before=$grep_out
}

print_diff() {
	local diff
	diff=$(diff -dbB <(echo $before) <(echo $after) | awk 'NR>1')

	if [[ -n $diff ]]; then
		if [[ $change_header_printed == false ]]; then
			printf '%s\n' '' "Changes" '-------' ''
			change_header_printed=true
		fi
		echo -e "$diff\n"
	fi
}

add_if_missing() {
	local string=$1
	if ! grep -q "$1" $temp_config; then
		printf "%s\n\n" "$1" >> $temp_config
		reload_required=true
	fi
}

test_config() {
	local msg
	msg=$(sshd -t -f $temp_config)
	local ret=$?

	if [[ -n $msg ]]; then
		echo "Error found in temp sshd config:"
		echo $msg
	fi

	return $ret
}

main() {
	if ! [[ $quiet ]]; then echo "Copying current config to $temp_config"; fi
	cp $sshd_config $temp_config

	# Add newline to ssh for legibility
	echo "" >> $temp_config

	# Ciphers
	check_sshd_t "ciphers"
	local cipher_string
	cipher_string=$(echo "$before" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g")

	after=$cipher_string

	if [[ $verbose ]]; then print_diff; fi

	if [[ $before != "$after" ]]; then
		add_if_missing "$cipher_string" && test_config || exit 1
	fi

	# KexAlgorithms
	check_sshd_t "kexalgorithms"

	local kexalg_string
	kexalg_string=$(echo "$before" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g")

	after=$kexalg_string

	if [[ $verbose ]]; then print_diff; fi

	if [[ $before != "$after" ]]; then
		add_if_missing "$kexalg_string" && test_config || exit 1
	fi

	# Macs
	check_sshd_t "macs"
	local macs_string
	macs_string=$(echo "$before" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g")

	after=$macs_string

	if [[ $verbose ]]; then print_diff; fi

	if [[ $before != "$after" ]]; then
		add_if_missing "$macs_string" && test_config || exit 1
	fi

	# HostKeyAlgorithms
	check_sshd_t "hostkeyalgorithms"
	local hostkeyalg_string
	hostkeyalg_string=$(echo "$before" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g")

	after=$hostkeyalg_string
	
	if [[ $verbose ]]; then print_diff; fi
	
	if [[ $before != "$after" ]]; then
		add_if_missing "$hostkeyalg_string" && test_config || exit 1
	fi

	if [[ $reload_required == true ]]; then
		mv -f $temp_config $sshd_config
		if ! [[ $quiet ]]; then echo "Reloading sshd to load config changes"; fi
		systemctl reload sshd
		echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting."
	else
		if ! [[ $quiet ]]; then echo "No changes made to temp file, cleaning up"; fi
		rm -f $temp_config
	fi
}

main