difference in sshd protocol options

Per Hedeland per at hedeland.org
Wed Apr 8 09:31:18 UTC 2020

On 2020-04-08 07:59, David Mehler wrote:
> Hello,
> I just went through an interesting go tonight getting an android file
> manager to connect via sftp to my FreeBSD 12.1 sshd server. I've got
> two questions. Refering to the sshd_config man page the
> HostKeyAlgorithms option and the PubkeyAcceptedKeyTypes options is
> there a difference between the options (both of which appear in the
> default) ssh-rsa and ssh-rsa-cert-v01 at openssh.com?

Yes, see e.g.
- ssh-rsa uses just a "raw" key, while ssh-rsa-cert-v01 at openssh.com
uses a certificate (OpenSSH-specific design, a simpler variant than
the common x.509 style), i.e. basically a key signed with some other
trusted (CA) key. The certificate allows for specifiying CA keys
instead of individual host and user keys in ~/.ssh/known_hosts
~/.ssh/authorized_keys, respectively.

--Per Hedeland

More information about the freebsd-questions mailing list