difference in sshd protocol options

David Mehler dave.mehler at gmail.com
Wed Apr 8 14:27:41 UTC 2020

Hello Per Hedeland

Thanks. If I'm understanding right the key type ssh-rsa is what is
needed when an ssh key is generated with ssh-keygen -t rsa?


On 4/8/20, Per Hedeland <per at hedeland.org> wrote:
> On 2020-04-08 07:59, David Mehler wrote:
>> Hello,
>> I just went through an interesting go tonight getting an android file
>> manager to connect via sftp to my FreeBSD 12.1 sshd server. I've got
>> two questions. Refering to the sshd_config man page the
>> HostKeyAlgorithms option and the PubkeyAcceptedKeyTypes options is
>> there a difference between the options (both of which appear in the
>> default) ssh-rsa and ssh-rsa-cert-v01 at openssh.com?
> Yes, see e.g.
> https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys
> - ssh-rsa uses just a "raw" key, while ssh-rsa-cert-v01 at openssh.com
> uses a certificate (OpenSSH-specific design, a simpler variant than
> the common x.509 style), i.e. basically a key signed with some other
> trusted (CA) key. The certificate allows for specifiying CA keys
> instead of individual host and user keys in ~/.ssh/known_hosts
> ~/.ssh/authorized_keys, respectively.
> --Per Hedeland

More information about the freebsd-questions mailing list