#!/bin/bash
# IBM(c) 2007 EPL license http://www.eclipse.org/legal/epl-v10.html
#(C)IBM Corp
#  This script adds xCAT specific setup to the /etc/ssh/sshd_config and ssh_config file
#  It calls getcredentials.awk to get from the xcatmaster  ssh host keys from the
#  /etc/xcat/hostkeys directory and puts in  /etc/ssh on the node the following keys
#     ssh_host_dsa_key,ssh_host_rsa_key, ssh_host_ecdsa_key (if supported)
#  It calls getcredentials.awk to get from the xcatmaster root ssh keys from the
#  ~/.ssh directory on the xcatmaster and put in ~/.ssh on the node the following keys:
#   If site.enablesshbetweennodes is yes
#      id.rsa
#
# if on the Management Node, exit
if [ -n "$LOGLABEL" ]; then
    log_label=$LOGLABEL
else
    log_label="xcat"
fi
umask 0077
if [ -f /etc/os-release ] && cat /etc/os-release |grep -i -e "^NAME=[ \"']*Cumulus Linux[ \"']*$" >/dev/null 2>&1 ; then
   #TODO
   echo "Cumulus OS is not supported yet, nothing to do..."
   logger -t $log_label -p local4.info "Cumulus OS is not supported yet, nothing to do..."
   exit 0
fi

if [ "$(uname -s|tr 'A-Z' 'a-z')" = "linux" ];then
   str_dir_name=`dirname $0`
   . $str_dir_name/xcatlib.sh
fi

if [ -e /etc/xCATMN ]; then
	logger -t $log_label -p local4.info "remoteshell:Running on the Management Node ,  exiting "
   exit 0
fi
# if -p input, do special PCM setup
if [ -n "$1" ]; then
 if [ $1 = "-p" ]; then
    SETUPFORPCM=1
 fi
fi


#  Linux or if AIX call aixremoteshell -d
if [ "$(uname -s)" = "AIX" ]; then
   ./aixremoteshell -d 2>&1
	logger -t $log_label -p local4.info "Install: On AIX , remoteshell calling aixremoteshell -d "
   exit 0
fi
master=$MASTER
# are we using xcat flow control
useflowcontrol=0
if [ "$USEFLOWCONTROL" = "YES" ] || [ "$USEFLOWCONTROL" = "yes" ] || [ "$USEFLOWCONTROL" = "1" ]; then
  useflowcontrol=1
fi

if [ -r /etc/ssh/sshd_config ]
then
	logger -t $log_label -p local4.info "remoteshell:  setup /etc/ssh/sshd_config and ssh_config"
	cp /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG
        #delete all occurance of the attribute and then add xCAT settings
        sed -i '/X11Forwarding /'d /etc/ssh/sshd_config
        echo "X11Forwarding yes" >>/etc/ssh/sshd_config
        # delete all MaxStartups settings and use default value
        sed -i '/MaxStartups /'d /etc/ssh/sshd_config

    if [ "$SETUPFORPCM" = "1" ]; then
        if [[ $OSVER == sle* ]];then
            sed -i '/PasswordAuthentication /'d /etc/ssh/sshd_config
            echo "PasswordAuthentication yes" >>/etc/ssh/sshd_config
        elif [[ $OSVER == ubuntu* ]];then
            sed -i 's/^PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config
        fi
    fi
fi

if [ -r /etc/ssh/ssh_config ]
then
   sed -i '/StrictHostKeyChecking /'d /etc/ssh/ssh_config
   echo "StrictHostKeyChecking no" >> /etc/ssh/ssh_config

fi
xcatpost="xcatpost"
if [ -d /xcatpost/_ssh ]
then
	logger -p local4.info -t $log_label "Install: setup root .ssh"
	cd /xcatpost/_ssh
	mkdir -p /root/.ssh
	cp -f * /root/.ssh
   cd - >/dev/null
	chmod 700 /root/.ssh
	chmod 600 /root/.ssh/*
fi

if [ ! -x /usr/bin/openssl ]; then
    logger -t $log_label -p local4.err "Install: /usr/bin/openssl is not executable."
    exit 0
fi
allowcred.awk &
CREDPID=$!
sleep 1

#download the ssh host dsa private keys
if [ $useflowcontrol = "1" ]; then
  #first contact daemon  xcatflowrequest <server> 3001
  logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001"
 /$xcatpost/xcatflowrequest $master 3001
 rc=$?
 logger -t $log_label -p local4.info "remoteshell:xcatflowrequest received response return=$rc"
 if [ $rc -ne 0 ]; then
      logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control"
      useflowcontrol=0
 fi


fi
getcredentials.awk ssh_dsa_hostkey | grep -E -v '</{0,1}xcatresponse>|</{0,1}serverdone>' | sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /tmp/ssh_dsa_hostkey

#check the message is an error or not
grep -E '<error>' /tmp/ssh_dsa_hostkey > /dev/null 2>&1
if [ $? -ne 0 ]; then
	#the message received is the data
	cat /tmp/ssh_dsa_hostkey | grep -E -v '</{0,1}errorcode>|/{0,1}data>|</{0,1}content>|</{0,1}desc>' >/etc/ssh/ssh_host_dsa_key
	logger -t $log_label -p local4.info "remoteshell: getting ssh_host_dsa_key"
   MAX_RETRIES=10
   RETRY=0
   MYCONT=`cat /etc/ssh/ssh_host_dsa_key`
   while [ -z "$MYCONT" ]; do
              # not using flow control , need to sleep
              if [ $useflowcontrol = "0" ]; then
                let SLI=$RANDOM%10
                let SLI=SLI+10
                sleep $SLI
              fi

                RETRY=$(($RETRY+1))
                if [ $RETRY -eq $MAX_RETRIES ]
                then
                  break
                fi
                if [ $useflowcontrol = "1" ]; then
                  #first contact daemon  xcatflowrequest <server> 3001
                  logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001"
                  /$xcatpost/xcatflowrequest $master 3001
                  rc=$?
                  logger -t $log_label -p local4.info "remoteshell:xcatflowrequest return=$rc"
                  if [ $rc -ne 0 ]; then
                     logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control"
                     useflowcontrol=0
                  fi
                fi
                getcredentials.awk ssh_dsa_hostkey | grep -v '<'|sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /etc/ssh/ssh_host_dsa_key
                MYCONT=`cat /etc/ssh/ssh_host_dsa_key`
   done
   egrep  -i "^ssh_keys:" /etc/group >/dev/null 2>&1 && chown root:ssh_keys /etc/ssh/ssh_host_dsa_key 2>/dev/null && chmod 640 /etc/ssh/ssh_host_dsa_key
   if ! grep "PRIVATE KEY" /etc/ssh/ssh_host_dsa_key > /dev/null 2>&1 ; then
        rm /etc/ssh/ssh_host_dsa_key
	else
		ssh-keygen -y -f /etc/ssh/ssh_host_dsa_key -P "" > /etc/ssh/ssh_host_dsa_key.pub
		chmod 644 /etc/ssh/ssh_host_dsa_key.pub
		chown root /etc/ssh/ssh_host_dsa_key.pub
   fi
else
	#the message received is an error, so parse it
	ERR_MSG=`sed -n 's%.*<error>\(.*\)</error>.*%\1%p' /tmp/ssh_dsa_hostkey`
	logger -s -t $log_label -p local4.err Error: $ERR_MSG
fi
rm /tmp/ssh_dsa_hostkey

# download the host rsa key
if [ $useflowcontrol = "1" ]; then
  #first contact daemon  xcatflowrequest <server> 3001
  logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001"
  /$xcatpost/xcatflowrequest $master 3001
  rc=$?
  logger -t $log_label -p local4.info "remoteshell:xcatflowrequest return=$rc"
  if [ $rc -ne 0 ]; then
      logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control"
      useflowcontrol=0
  fi
fi

getcredentials.awk ssh_rsa_hostkey | grep -E -v '</{0,1}xcatresponse>|</{0,1}serverdone>' | sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /tmp/ssh_rsa_hostkey

#check whether the message is an error or not
grep -E '<error>' /tmp/ssh_rsa_hostkey > /dev/null 2>&1
if [ $? -ne 0 ]; then
	#the message received is the data we request
	cat /tmp/ssh_rsa_hostkey | grep -E -v '</{0,1}errorcode>|/{0,1}data>|</{0,1}content>|</{0,1}desc>' >/etc/ssh/ssh_host_rsa_key
	logger -t $log_label -p local4.info ssh_rsa_hostkey
	MYCONT=`cat /etc/ssh/ssh_host_rsa_key`
   MAX_RETRIES=10
   RETRY=0
	while [ -z "$MYCONT" ]; do
              # not using flow control , need to sleep
              if [ $useflowcontrol = "0" ]; then
                let SLI=$RANDOM%10
                let SLI=SLI+10
                sleep $SLI
              fi
                RETRY=$(($RETRY+1))
                if [ $RETRY -eq $MAX_RETRIES ]
                then
                  break
                fi
                if [ $useflowcontrol = "1" ]; then
                  #first contact daemon  xcatflowrequest <server> 3001
                  logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001"
                  /$xcatpost/xcatflowrequest $master 3001
                  rc=$?
                  logger -t $log_label -p local4.info "remoteshell:xcatflowrequest return=$rc"
                  if [ $rc -ne 0 ]; then
                      logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control"
                      useflowcontrol=0
                  fi
                fi

    		getcredentials.awk ssh_rsa_hostkey | grep -v '<'|sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /etc/ssh/ssh_host_rsa_key
    		MYCONT=`cat /etc/ssh/ssh_host_rsa_key`
	done
        egrep  -i "^ssh_keys:" /etc/group >/dev/null 2>&1 && chown root:ssh_keys /etc/ssh/ssh_host_rsa_key 2>/dev/null && chmod 640 /etc/ssh/ssh_host_rsa_key
	if ! grep "PRIVATE KEY" /etc/ssh/ssh_host_rsa_key > /dev/null 2>&1 ; then
   		rm /etc/ssh/ssh_host_rsa_key
	else
		ssh-keygen -y -f /etc/ssh/ssh_host_rsa_key -P "" > /etc/ssh/ssh_host_rsa_key.pub
                chmod 644 /etc/ssh/ssh_host_rsa_key.pub
                chown root /etc/ssh/ssh_host_rsa_key.pub
	fi
else
	#This is an error message
	ERR_MSG=`sed -n 's%.*<error>\(.*\)</error>.*%\1%p' /tmp/ssh_rsa_hostkey`
	logger -s -t $log_label -p local4.err Error: $ERR_MSG
fi
rm /tmp/ssh_rsa_hostkey

# if node supports ecdsa host key then download the replacement from the MN/SN
# remove the /tmp/ecdsa_key first, otherwise the "ssh-keygen" below might hang
# at waiting for user confirmation to overwritten the existing file
rm -rf /tmp/ecdsa_key >/dev/null 2>&1
if ssh-keygen -t ecdsa -f /tmp/ecdsa_key -P "" &>/dev/null ; then
  # download the host ecdsa key
  if [ $useflowcontrol = "1" ]; then
    #first contact daemon  xcatflowrequest <server> 3001
    logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001"
    /$xcatpost/xcatflowrequest $master 3001
    rc=$?
    logger -t $log_label -p local4.info "remoteshell:xcatflowrequest return=$rc"
    if [ $rc -ne 0 ]; then
      logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control"
      useflowcontrol=0
    fi
  fi

  getcredentials.awk ssh_ecdsa_hostkey | grep -E -v '</{0,1}xcatresponse>|</{0,1}serverdone>' | sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /tmp/ssh_ecdsa_hostkey

  #check whether the message is an error or not
  grep -E '<error>' /tmp/ssh_ecdsa_hostkey > /dev/null 2>&1
  if [ $? -ne 0 ]; then
	#the message received is the data we request
	cat /tmp/ssh_ecdsa_hostkey | grep -E -v '</{0,1}errorcode>|/{0,1}data>|</{0,1}content>|</{0,1}desc>' >/etc/ssh/ssh_host_ecdsa_key
	logger -t $log_label -p local4.info ssh_ecdsa_hostkey
	MYCONT=`cat /etc/ssh/ssh_host_ecdsa_key`
   MAX_RETRIES=10
   RETRY=0
	while [ -z "$MYCONT" ]; do
              # not using flow control , need to sleep
              if [ $useflowcontrol = "0" ]; then
                let SLI=$RANDOM%10
                let SLI=SLI+10
                sleep $SLI
              fi
                RETRY=$(($RETRY+1))
                if [ $RETRY -eq $MAX_RETRIES ]
                then
                  break
                fi
                if [ $useflowcontrol = "1" ]; then
                  #first contact daemon  xcatflowrequest <server> 3001
                  logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001"
                  /$xcatpost/xcatflowrequest $master 3001
                  rc=$?
                  logger -t $log_label -p local4.info "remoteshell:xcatflowrequest return=$rc"
                  if [ $rc -ne 0 ]; then
                      logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control"
                      useflowcontrol=0
                  fi
                fi

    		getcredentials.awk ssh_ecdsa_hostkey | grep -v '<'|sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /etc/ssh/ssh_host_ecdsa_key
    		MYCONT=`cat /etc/ssh/ssh_host_ecdsa_key`
	done
	egrep  -i "^ssh_keys:" /etc/group >/dev/null 2>&1 && chown root:ssh_keys /etc/ssh/ssh_host_ecdsa_key 2>/dev/null && chmod 640 /etc/ssh/ssh_host_ecdsa_key
	if ! grep "PRIVATE KEY" /etc/ssh/ssh_host_ecdsa_key > /dev/null 2>&1 ; then
   		rm /etc/ssh/ssh_host_ecdsa_key
	else
		# Because of openssh version differs, provisioning errors may happen when MN support ecdsa while CN don't ecdsa.
		# Judge CN support ecdsa or not. "-t ecdsa" indicate the key type, "-P "" " avoid hang-on and wait for input passphrase when CN don't support ecdsa.
		# If ture, means support ecdsa, then generate corresponding key.pub.
		# If false, remove ssh_host_ecdsa_key useless file, to avoid future errors.
		if ssh-keygen -t ecdsa -y -f /etc/ssh/ssh_host_ecdsa_key -P "" &>/dev/null ; then
			ssh-keygen -y -f /etc/ssh/ssh_host_ecdsa_key -P "" > /etc/ssh/ssh_host_ecdsa_key.pub
			chmod 644 /etc/ssh/ssh_host_ecdsa_key.pub
			chown root /etc/ssh/ssh_host_ecdsa_key.pub
		else
			rm -fr /etc/ssh/ssh_host_ecdsa_key
		fi
	fi
  else
	#This is an error message
	ERR_MSG=`sed -n 's%.*<error>\(.*\)</error>.*%\1%p' /tmp/ssh_ecdsa_hostkey`
	logger -s -t $log_label -p local4.err Error: $ERR_MSG
  fi
  rm /tmp/ssh_ecdsa_hostkey
fi

# if node supports ed25519 host key then download the replacement from the MN/SN
# remove the /tmp/ed25519_key first, otherwise the "ssh-keygen" below might hang
# at waiting for user confirmation to overwritten the existing file
rm -rf /tmp/ed25519_key >/dev/null 2>&1
if ssh-keygen -t ed25519 -f /tmp/ed25519_key -P "" &>/dev/null ; then
  # download the host ed25519 key
  if [ $useflowcontrol = "1" ]; then
    #first contact daemon  xcatflowrequest <server> 3001
    logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001"
    /$xcatpost/xcatflowrequest $master 3001
    rc=$?
    logger -t $log_label -p local4.info "remoteshell:xcatflowrequest return=$rc"
    if [ $rc -ne 0 ]; then
      logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control"
      useflowcontrol=0
    fi
  fi

  getcredentials.awk ssh_ed25519_hostkey | grep -E -v '</{0,1}xcatresponse>|</{0,1}serverdone>' | sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /tmp/ssh_ed25519_hostkey

  #check whether the message is an error or not
  grep -E '<error>' /tmp/ssh_ed25519_hostkey > /dev/null 2>&1
  if [ $? -ne 0 ]; then
	#the message received is the data we request
	cat /tmp/ssh_ed25519_hostkey | grep -E -v '</{0,1}errorcode>|/{0,1}data>|</{0,1}content>|</{0,1}desc>' >/etc/ssh/ssh_host_ed25519_key
	logger -t $log_label -p local4.info ssh_ed25519_hostkey
	MYCONT=`cat /etc/ssh/ssh_host_ed25519_key`
   MAX_RETRIES=10
   RETRY=0
	while [ -z "$MYCONT" ]; do
              # not using flow control , need to sleep
              if [ $useflowcontrol = "0" ]; then
                let SLI=$RANDOM%10
                let SLI=SLI+10
                sleep $SLI
              fi
                RETRY=$(($RETRY+1))
                if [ $RETRY -eq $MAX_RETRIES ]
                then
                  break
                fi
                if [ $useflowcontrol = "1" ]; then
                  #first contact daemon  xcatflowrequest <server> 3001
                  logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001"
                  /$xcatpost/xcatflowrequest $master 3001
                  rc=$?
                  logger -t $log_label -p local4.info "remoteshell:xcatflowrequest return=$rc"
                  if [ $rc -ne 0 ]; then
                      logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control"
                      useflowcontrol=0
                  fi
                fi

    		getcredentials.awk ssh_ed25519_hostkey | grep -v '<'|sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /etc/ssh/ssh_host_ed25519_key
    		MYCONT=`cat /etc/ssh/ssh_host_ed25519_key`
	done
	egrep  -i "^ssh_keys:" /etc/group >/dev/null 2>&1 && chown root:ssh_keys /etc/ssh/ssh_host_ed25519_key 2>/dev/null && chmod 640 /etc/ssh/ssh_host_ed25519_key
	if ! grep "PRIVATE KEY" /etc/ssh/ssh_host_ed25519_key > /dev/null 2>&1 ; then
   		rm /etc/ssh/ssh_host_ed25519_key
	else
		# Because of openssh version differs, provisioning errors may happen when MN support ed25519 while CN don't ed25519.
		# Judge CN support ed25519 or not. "-t ed25519" indicate the key type, "-P "" " avoid hang-on and wait for input passphrase when CN don't support ed25519.
		# If ture, means support ed25519, then generate corresponding key.pub.
		# If false, remove ssh_host_ed25519_key useless file, to avoid future errors.
		if ssh-keygen -t ed25519 -y -f /etc/ssh/ssh_host_ed25519_key -P "" &>/dev/null ; then
			ssh-keygen -y -f /etc/ssh/ssh_host_ed25519_key -P "" > /etc/ssh/ssh_host_ed25519_key.pub
			chmod 644 /etc/ssh/ssh_host_ed25519_key.pub
			chown root /etc/ssh/ssh_host_ed25519_key.pub
		else
			rm -fr /etc/ssh/ssh_host_ed25519_key
		fi
	fi
  else
	#This is an error message
	ERR_MSG=`sed -n 's%.*<error>\(.*\)</error>.*%\1%p' /tmp/ssh_ed25519_hostkey`
	logger -s -t $log_label -p local4.err Error: $ERR_MSG
  fi
  rm /tmp/ssh_ed25519_hostkey
fi

if [[ $NTYPE = service ]]; then
   mkdir -p /etc/xcat/hostkeys
   cp /etc/ssh/ssh* /etc/xcat/hostkeys/.
fi


# This is where we start getting root ssh keys
# This tells credentials.pm where to get the root .ssh keys.  If no zone then old path of ~.ssh
#rootsshpvtkey=ssh_root_key:$zonename
mkdir -p /root/.ssh/
# this is for obtaining non-zone keys
rootsshpvtkey=ssh_root_key
rootsshpubkey=ssh_root_pub_key
if [ $ZONENAME ];
then
# This tells credentials.pm where to get the root .ssh keys.  If no zone then old path of ~/.ssh
  zonename=$ZONENAME
  rootsshpvtkey=ssh_root_key:$zonename
  rootsshpubkey=ssh_root_pub_key:$zonename
  logger -t $log_label -p local4.info "remoteshell: gathering root ssh keys for $zonename"

fi

# always get  the id_rsa.pub key for the node and put in authorized_keys
if [ $useflowcontrol = "1" ]; then
  #first contact daemon  xcatflowrequest <server> 3001
  logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001"
  /$xcatpost/xcatflowrequest $master 3001
  rc=$?
  logger -t $log_label -p local4.info "remoteshell:xcatflowrequest return=$rc"
  if [ $rc -ne 0 ]; then
    logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control"
    useflowcontrol=0
  fi
fi

  getcredentials.awk $rootsshpubkey  | grep -E -v '</{0,1}xcatresponse>|</{0,1}serverdone>'|sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /tmp/ssh_root_pub_key

  logger -t $log_label -p local4.info "remoteshell: gathering $rootsshpubkey "
  #check whether the message is an error or not
  grep -E '<error>' /tmp/ssh_root_pub_key
if [ $? -ne 0 ]; then
	#The message contains the data we request
	cat /tmp/ssh_root_pub_key | grep -E -v '</{0,1}errorcode>|</{0,1}data>|</{0,1}content>|</{0,1}desc>' > /root/.ssh/id_rsa.pub
        # no add to authorized_keys, so the node can ssh to itself
	cat /tmp/ssh_root_pub_key | grep -E -v '</{0,1}errorcode>|</{0,1}data>|</{0,1}content>|</{0,1}desc>' >> /root/.ssh/authorized_keys
	logger -t $log_label -p local4.info ssh_root_pub_key
	MYCONT=`cat /root/.ssh/id_rsa.pub`
   MAX_RETRIES=10
   RETRY=0
	while [ -z "$MYCONT" ]; do
                if [ $useflowcontrol = "0" ]; then
                 let SLI=$RANDOM%10
                 let SLI=SLI+10
                 sleep $SLI
                fi
                RETRY=$(($RETRY+1))
                if [ $RETRY -eq $MAX_RETRIES ]
                then
                  break
                fi
                if [ $useflowcontrol = "1" ]; then
                  #first contact daemon  xcatflowrequest <server> 3001
                  logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001"
                  /$xcatpost/xcatflowrequest $master 3001
                  rc=$?
                  logger -t $log_label -p local4.info "remoteshell:xcatflowrequest return=$rc"
                  if [ $rc -ne 0 ]; then
                     logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control"
                     useflowcontrol=0
                  fi
                fi
		          getcredentials.awk $rootsshpubkey | grep -v '<'|sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /root/.ssh/id_rsa.pub
		          getcredentials.awk $rootsshpubkey | grep -v '<'|sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" >> /root/.ssh/authorized_keys
		          MYCONT=`cat /root/.ssh/id_rsa.pub`
	done
else
	#This is an error message
	ERR_MSG=`sed -n 's%.*<error>\(.*\)</error>.*%\1%p' /tmp/ssh_root_pub_key`
	logger -t $log_label -p local4.err $rootsshpubkey Error: $ERR_MSG
fi
rm /tmp/ssh_root_pub_key

# if sshbetweennodes is enabled then we get id_rsa ( private key)
if [ $ENABLESSHBETWEENNODES = "YES" ];  # want nodes to be able to ssh to each other without password
then
 logger -t $log_label -p local4.info "remoteshell:sshbetweennodes is yes"
 if [ $useflowcontrol = "1" ]; then
  #first contact daemon  xcatflowrequest <server> 3001
  logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001"
  /$xcatpost/xcatflowrequest $master 3001
  rc=$?
  logger -t $log_label -p local4.info "remoteshell:xcatflowrequest return=$rc"
  if [ $rc -ne 0 ]; then
    logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control"
    useflowcontrol=0
  fi
 fi
  getcredentials.awk $rootsshpvtkey | grep -E -v '</{0,1}xcatresponse>|</{0,1}serverdone>'|sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /tmp/ssh_root_key

  logger -t $log_label -p local4.info "remoteshell: gathering $rootsshpvtkey "
  #check whether the message is an error or not
  grep -E '<error>' /tmp/ssh_root_key
  if [ $? -ne 0 ]; then
	#The message contains the data we request
        cat /tmp/ssh_root_key | grep -E -v '</{0,1}errorcode>|/{0,1}data>|</{0,1}content>|</{0,1}desc>' > /root/.ssh/id_rsa
	logger -t $log_label -p local4.info ssh_root_key
	MYCONT=`cat /root/.ssh/id_rsa`
   MAX_RETRIES=10
   RETRY=0
	while [ -z "$MYCONT" ]; do
                if [ $useflowcontrol = "0" ]; then
                 let SLI=$RANDOM%10
                 let SLI=SLI+10
                 sleep $SLI
                fi
                RETRY=$(($RETRY+1))
                if [ $RETRY -eq $MAX_RETRIES ]
                then
                  break
                fi
                if [ $useflowcontrol = "1" ]; then
                  #first contact daemon  xcatflowrequest <server> 3001
                  logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001"
                  /$xcatpost/xcatflowrequest $master 3001
                  rc=$?
                  logger -t $log_label -p local4.info "remoteshell:xcatflowrequest return=$rc"
                  if [ $rc -ne 0 ]; then
                     logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest, will not use flow control"
                     useflowcontrol=0
                  fi
                fi
		          getcredentials.awk $rootsshpvtkey | grep -v '<'|sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /root/.ssh/id_rsa
		          MYCONT=`cat /root/.ssh/id_rsa`
	done
  else
	#This is an error message
	ERR_MSG=`sed -n 's%.*<error>\(.*\)</error>.*%\1%p' /tmp/ssh_root_key`
	logger -t $log_label -p local4.err $rootsshpvtkey Error: $ERR_MSG
  fi
  rm /tmp/ssh_root_key

  if ! grep "PRIVATE KEY" /root/.ssh/id_rsa > /dev/null 2>&1 ; then
     rm /root/.ssh/id_rsa
  fi
  # if public key does not exist then generate one from the private key
  if [ ! -f /root/.ssh/id_rsa.pub ]; then
    if [ -r /root/.ssh/id_rsa ]; then
     ssh-keygen -y -f /root/.ssh/id_rsa -P "" > /root/.ssh/id_rsa.pub
     logger -t $log_label -p local4.err  remoteshell:transfer of the id_rsa.pub key failed. Had to generate a public key.
    fi
  fi
fi

# if secureroot is enabled then we get root password hash, not for updatenode
if [ "x$SECUREROOT" = "x1" ] && [ "x$UPDATENODE" != "x1" ]; then
  logger -t $log_label -p local4.info "remoteshell: secure root is enabled"
  if [ $useflowcontrol = "1" ]; then
    logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001"
    /$xcatpost/xcatflowrequest $master 3001
    rc=$?
    if [ $rc -ne 0 ]; then
      logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest (rc=$rc), will not use flow control"
      useflowcontrol=0
    fi
  fi
  getcredentials.awk xcat_secure_pw:root | grep -E -v '</{0,1}xcatresponse>|</{0,1}serverdone>'|sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /tmp/secure_root_hash

  logger -t $log_label -p local4.info "remoteshell: gathering password hash for root"
  #check whether the message is an error or not
  grep -E '<error>' /tmp/secure_root_hash > /dev/null
  if [ $? -ne 0 ]; then
	#The message contains the data we request
    rootpwhash=`cat /tmp/secure_root_hash | grep -E '</{0,1}content>' | sed -n 's%.*<content>\(.*\)</content>.*%\1%p'`

    MAX_RETRIES=10
    RETRY=0
    while [ -z "$rootpwhash" ]; do
      if [ $useflowcontrol = "0" ]; then
        let SLI=$RANDOM%10
        let SLI=SLI+10
        sleep $SLI
      fi
      RETRY=$(($RETRY+1))
      if [ $RETRY -eq $MAX_RETRIES ]; then
        ERR_MSG="Too many retries"
        break
      fi
      if [ $useflowcontrol = "1" ]; then
        #first contact daemon  xcatflowrequest <server> 3001
        logger -t $log_label -p local4.info "remoteshell: sending xcatflowrequest $master 3001"
        /$xcatpost/xcatflowrequest $master 3001
        rc=$?
        if [ $rc -ne 0 ]; then
          logger -t $log_label -p local4.info "remoteshell: error from xcatflowrequest (rc=$rc), will not use flow control"
          useflowcontrol=0
        fi
      fi
      getcredentials.awk xcat_secure_pw:root | grep -E -v '</{0,1}xcatresponse>|</{0,1}serverdone>'|sed -e 's/&lt;/</' -e 's/&gt;/>/' -e 's/&amp;/&/' -e 's/&quot/"/' -e "s/&apos;/'/" > /tmp/secure_root_hash
      grep -E '<error>' /tmp/secure_root_hash > /dev/null
      if [ $? -ne 0 ]; then
        rootpwhash=`cat /tmp/secure_root_hash | grep -E '</{0,1}content>' | sed -n 's%.*<content>\(.*\)</content>.*%\1%p'`
      else
        ERR_MSG=`sed -n 's%.*<error>\(.*\)</error>.*%\1%p' /tmp/secure_root_hash`
        break
      fi
	done
    if [ -n "$rootpwhash" ]; then
      #updat shadow
      usermod -p "$rootpwhash" root
    fi
  else
	#This is an error message
	ERR_MSG=`sed -n 's%.*<error>\(.*\)</error>.*%\1%p' /tmp/secure_root_hash`
  fi
  rm /tmp/secure_root_hash
  if [ "x" != "x$ERR_MSG" ]; then
    logger -t $log_label -p local4.err "Failed to acquire secure root password: $ERR_MSG"
  fi
fi

# start up the sshd for syncfiles postscript to do the sync work
logger -t $log_label -p local4.info "start up sshd"
if [[ $OSVER == ubuntu* || $OSVER == debian* ]]
then
    if [ ! -d /var/run/sshd ];then
        #"/var/run/sshd":
        #Contains the process ID of the sshd listening for connections
        #(if there are several daemons running concurrently for different ports,
        #this contains the process ID of the one started last).
        #The content of this file is not sensitive; it can be world-read-able.
        #prepare the "/var/run/sshd" for ubuntu
        mkdir /var/run/sshd
        chmod 0755 /var/run/sshd
    fi
    #service ssh restart
    restartservice ssh
else
    #service sshd restart
    # sshd is not enabled on SLES 12 by default
    # does not hurt anything to re-enable if it is enabled already
    # and disable enable service for diskless and statelite
    if [[ "$NODESETSTATE" != netboot && "$NODESETSTATE" != statelite ]]; then
        enableservice sshd
    fi
    restartservice sshd
fi
#if the service restart with "service/systemctl" failed
#try to kill the process and start
if [ "$?" != "0" ];then
   PIDLIST=`ps aux | grep -v grep | grep "/usr/sbin/sshd"|awk -F" " '{print $2}'|xargs`
   [ -n "$PIDLIST" ] && kill 9 $PIDLIST
   /usr/sbin/sshd
fi
kill -9 $CREDPID
