Add rc.conf variables to control host key length

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Mon Jun 25 01:46:06 UTC 2012


On 24. Jun 2012, at 17:14 , Robert Simmons wrote:

> On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb
> <bzeeb-lists at lists.zabbadoz.net> wrote:
>> On 24. Jun 2012, at 16:07 , Robert Simmons wrote:
>>> Here is a set of patches that add functionality to rc.conf allowing
>>> users an easy way to control the length of the host keys used with ssh
>>> (specifically RSA and ECDSA used with protocol version 2).
>> 
>> Created for, not used with -- right?
> 
> Yes, created for.  I have updated the patch to reflect this and
> attached the new patch.  Good eye, thanks.
> 
>> The used with is controlled in sshd_config and if the key is not there
>> but it's enabled in sshd_config you'll get a warning on boot which is
>> very annoying.
> 
> No.  Actually, "used with" is not controlled in sshd_config.  Only the
> path to the key files is controlled by that config.
> The sshd_flags variable in rc.conf is what controls "used with".  For
> example, on my installs, I only want to use the ECDSA key and not
> present any other protocol v2 keys to clients, thereby restricting it
> to ECDSA.  The only way to go about this is to set the following:
> sshd_flags="-h /etc/ssh/ssh_host_ecdsa_key"
> Take a look at sshd(8), specifically the -h option for clarification.

Aha, multiple options to accomplish the same thing.

HostKey /etc/ssh/ssh_host_ecdsa_key

in sshd_config should accomplish the same, shouldn't it?  I'd really
prefer that to a command line option.

/bz

-- 
Bjoern A. Zeeb                                 You have to have visions!
   It does not matter how good you are. It matters what good you do!



More information about the freebsd-security mailing list