Add rc.conf variables to control host key length
J. Hellenthal
jhellenthal at dataix.net
Mon Jun 25 16:14:51 UTC 2012
On Sun, Jun 24, 2012 at 10:10:33PM -0400, Robert Simmons wrote:
> On Sun, Jun 24, 2012 at 9:46 PM, Bjoern A. Zeeb
> <bzeeb-lists at lists.zabbadoz.net> wrote:
> >
> > On 24. Jun 2012, at 17:14 , Robert Simmons wrote:
> >
> >> On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb
> >> <bzeeb-lists at lists.zabbadoz.net> wrote:
> >>> On 24. Jun 2012, at 16:07 , Robert Simmons wrote:
> >>>> Here is a set of patches that add functionality to rc.conf allowing
> >>>> users an easy way to control the length of the host keys used with ssh
> >>>> (specifically RSA and ECDSA used with protocol version 2).
> >>>
> >>> Created for, not used with -- right?
> >>
> >> Yes, created for. I have updated the patch to reflect this and
> >> attached the new patch. Good eye, thanks.
> >>
> >>> The used with is controlled in sshd_config and if the key is not there
> >>> but it's enabled in sshd_config you'll get a warning on boot which is
> >>> very annoying.
> >>
> >> No. Actually, "used with" is not controlled in sshd_config. Only the
> >> path to the key files is controlled by that config.
> >> The sshd_flags variable in rc.conf is what controls "used with". For
> >> example, on my installs, I only want to use the ECDSA key and not
> >> present any other protocol v2 keys to clients, thereby restricting it
> >> to ECDSA. The only way to go about this is to set the following:
> >> sshd_flags="-h /etc/ssh/ssh_host_ecdsa_key"
> >> Take a look at sshd(8), specifically the -h option for clarification.
> >
> > Aha, multiple options to accomplish the same thing.
> >
> > HostKey /etc/ssh/ssh_host_ecdsa_key
> >
> > in sshd_config should accomplish the same, shouldn't it? I'd really
> > prefer that to a command line option.
>
> And vice versa. Let's say you only uncomment the line for RSA keys in
> sshd_config. Your server will still present the ECDSA key to clients
> that understand it.
Try:
HostKey /usr/local/etc/ssh/ssh_host_rsa_key
HostKey /dev/null
HostKey none
--
- (2^(N-1))
More information about the freebsd-security
mailing list