security/openssh-portable line # 82 of rc.d/openssh generates
DSA not ECDSA
Robert Simmons
rsimmons0 at gmail.com
Sun Jun 24 18:38:55 UTC 2012
On Sun, Jun 24, 2012 at 2:24 PM, J. Hellenthal <jhellenthal at dataix.net> wrote:
> On Sun, Jun 24, 2012 at 01:46:20PM -0400, Robert Simmons wrote:
>> On Sun, Jun 24, 2012 at 1:17 PM, J. Hellenthal <jhellenthal at dataix.net> wrote:
>> >
>> > As stated in the subject
>> >
>> > if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then
>> > echo "You already have a Elliptic Curve DSA host key" \
>> > "in /usr/local/etc/ssh/ssh_host_ecdsa_key"
>> > echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation"
>> > else
>> > /usr/local/bin/ssh-keygen -t dsa \
>> > -f /usr/local/etc/ssh/ssh_host_ecdsa_key -N ''
>> > fi
>> >
>> >
>> > Specifically "/usr/local/bin/ssh-keygen -t dsa" needs to be changed to
>> > "-t ecdsa" to be correct. Otherwise we are just reimplementing a DSA key
>> > in a different file.
>>
>> Good eye. I'm in the process of updating that port to 6.0p1. There
>> are quite a lot of local patches that are part of the port. At the
>> moment I'm muddling through what they do and whether they can be
>> removed or not. I didn't even notice this problem.
>>
>> I've attached a pair of patches that correct this problem. Open a PR
>> about this, and you can attach these patches to it. I'm not the
>> maintainer nor do I have commit privileges, but if you open a PR, I'm
>> sure someone will make the change.
>
> Should have also said the changes were already committed.
I also want to see what can be pushed upstream. I understand that the
OpenBSD/OpenSSH people are touchy about outside patches, but I think
they should at least accept a patch to configure so that FreeBSD's
native openpty() is detected properly.
More information about the freebsd-ports
mailing list