Re: Add rc.conf variables to control host key length

On Sun, Jun 24, 2012 at 9:46 PM, Bjoern A. Zeeb
<bzeeb-lists@lists.zabbadoz.net> wrote:
>
> On 24. Jun 2012, at 17:14 , Robert Simmons wrote:
>
>> On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb
>> <bzeeb-lists@lists.zabbadoz.net> wrote:
>>> On 24. Jun 2012, at 16:07 , Robert Simmons wrote:
>>>> Here is a set of patches that add functionality to rc.conf allowing
>>>> users an easy way to control the length of the host keys used with ssh
>>>> (specifically RSA and ECDSA used with protocol version 2).
>>>
>>> Created for, not used with -- right?
>>
>> Yes, created for. =A0I have updated the patch to reflect this and
>> attached the new patch. =A0Good eye, thanks.
>>
>>> The used with is controlled in sshd_config and if the key is not there
>>> but it's enabled in sshd_config you'll get a warning on boot which is
>>> very annoying.
>>
>> No. =A0Actually, "used with" is not controlled in sshd_config. =A0Only t=
he
>> path to the key files is controlled by that config.
>> The sshd_flags variable in rc.conf is what controls "used with". =A0For
>> example, on my installs, I only want to use the ECDSA key and not
>> present any other protocol v2 keys to clients, thereby restricting it
>> to ECDSA. =A0The only way to go about this is to set the following:
>> sshd_flags=3D"-h /etc/ssh/ssh_host_ecdsa_key"
>> Take a look at sshd(8), specifically the -h option for clarification.
>
> Aha, multiple options to accomplish the same thing.
>
> HostKey /etc/ssh/ssh_host_ecdsa_key
>
> in sshd_config should accomplish the same, shouldn't it? =A0I'd really
> prefer that to a command line option.

And vice versa.  Let's say you only uncomment the line for RSA keys in
sshd_config.  Your server will still present the ECDSA key to clients
that understand it.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"