Add rc.conf variables to control host key length
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Mon Jun 25 01:46:06 UTC 2012
On 24. Jun 2012, at 17:14 , Robert Simmons wrote:
> On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb
> <bzeeb-lists at lists.zabbadoz.net> wrote:
>> On 24. Jun 2012, at 16:07 , Robert Simmons wrote:
>>> Here is a set of patches that add functionality to rc.conf allowing
>>> users an easy way to control the length of the host keys used with ssh
>>> (specifically RSA and ECDSA used with protocol version 2).
>>
>> Created for, not used with -- right?
>
> Yes, created for. I have updated the patch to reflect this and
> attached the new patch. Good eye, thanks.
>
>> The used with is controlled in sshd_config and if the key is not there
>> but it's enabled in sshd_config you'll get a warning on boot which is
>> very annoying.
>
> No. Actually, "used with" is not controlled in sshd_config. Only the
> path to the key files is controlled by that config.
> The sshd_flags variable in rc.conf is what controls "used with". For
> example, on my installs, I only want to use the ECDSA key and not
> present any other protocol v2 keys to clients, thereby restricting it
> to ECDSA. The only way to go about this is to set the following:
> sshd_flags="-h /etc/ssh/ssh_host_ecdsa_key"
> Take a look at sshd(8), specifically the -h option for clarification.
Aha, multiple options to accomplish the same thing.
HostKey /etc/ssh/ssh_host_ecdsa_key
in sshd_config should accomplish the same, shouldn't it? I'd really
prefer that to a command line option.
/bz
--
Bjoern A. Zeeb You have to have visions!
It does not matter how good you are. It matters what good you do!
More information about the freebsd-security
mailing list