Re: Add rc.conf variables to control host key length
On Sun, Jun 24, 2012 at 9:46 PM, Bjoern A. Zeeb
<bzeeb-lists@lists.zabbadoz.net> wrote:
>
> On 24. Jun 2012, at 17:14 , Robert Simmons wrote:
>
>> On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb
>> <bzeeb-lists@lists.zabbadoz.net> wrote:
>>> On 24. Jun 2012, at 16:07 , Robert Simmons wrote:
>>>> Here is a set of patches that add functionality to rc.conf allowing
>>>> users an easy way to control the length of the host keys used with ssh
>>>> (specifically RSA and ECDSA used with protocol version 2).
>>>
>>> Created for, not used with -- right?
>>
>> Yes, created for. =A0I have updated the patch to reflect this and
>> attached the new patch. =A0Good eye, thanks.
>>
>>> The used with is controlled in sshd_config and if the key is not there
>>> but it's enabled in sshd_config you'll get a warning on boot which is
>>> very annoying.
>>
>> No. =A0Actually, "used with" is not controlled in sshd_config. =A0Only t=
he
>> path to the key files is controlled by that config.
>> The sshd_flags variable in rc.conf is what controls "used with". =A0For
>> example, on my installs, I only want to use the ECDSA key and not
>> present any other protocol v2 keys to clients, thereby restricting it
>> to ECDSA. =A0The only way to go about this is to set the following:
>> sshd_flags=3D"-h /etc/ssh/ssh_host_ecdsa_key"
>> Take a look at sshd(8), specifically the -h option for clarification.
>
> Aha, multiple options to accomplish the same thing.
>
> HostKey /etc/ssh/ssh_host_ecdsa_key
>
> in sshd_config should accomplish the same, shouldn't it? =A0I'd really
> prefer that to a command line option.
No, you'll find that even with that being the only line uncommented,
your server will still present DSA and RSA keys to the clients that
can't understand ECDSA. The only way to restrict it is with the sshd
flag "-h". Go try it.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 14 之 15 篇):