Date: Mon, 25 Jun 2012 12:14:45 -0400 From: "J. Hellenthal" <jhellenthal@dataix.net> To: Robert Simmons <rsimmons0@gmail.com> Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, freebsd-security@freebsd.org Subject: Re: Add rc.conf variables to control host key length Message-ID: <20120625161445.GB85086@DataIX.net> In-Reply-To: <CA%2BQLa9Ck1Fyg=oLcMFtZ_qYGP7MbyhFFOUJTzXjrGV6vrNhffQ@mail.gmail.com> References: <CA%2BQLa9CX26xEwRsz3g6FvBBbbFE0Gfw%2BUR6_RHYOXgZFcgCw5w@mail.gmail.com> <4828EFCC-E60A-4961-9228-4A1ADAD28F73@lists.zabbadoz.net> <CA%2BQLa9DxE5D5ZeQ6M-FQGRySCGytQ=Qn2ZyNMYuCfSLGV1gdQw@mail.gmail.com> <90EAF0C3-C676-4C20-A981-86FC88BAC29D@lists.zabbadoz.net> <CA%2BQLa9Ck1Fyg=oLcMFtZ_qYGP7MbyhFFOUJTzXjrGV6vrNhffQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jun 24, 2012 at 10:10:33PM -0400, Robert Simmons wrote: > On Sun, Jun 24, 2012 at 9:46 PM, Bjoern A. Zeeb > <bzeeb-lists@lists.zabbadoz.net> wrote: > > > > On 24. Jun 2012, at 17:14 , Robert Simmons wrote: > > > >> On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb > >> <bzeeb-lists@lists.zabbadoz.net> wrote: > >>> On 24. Jun 2012, at 16:07 , Robert Simmons wrote: > >>>> Here is a set of patches that add functionality to rc.conf allowing > >>>> users an easy way to control the length of the host keys used with ssh > >>>> (specifically RSA and ECDSA used with protocol version 2). > >>> > >>> Created for, not used with -- right? > >> > >> Yes, created for. I have updated the patch to reflect this and > >> attached the new patch. Good eye, thanks. > >> > >>> The used with is controlled in sshd_config and if the key is not there > >>> but it's enabled in sshd_config you'll get a warning on boot which is > >>> very annoying. > >> > >> No. Actually, "used with" is not controlled in sshd_config. Only the > >> path to the key files is controlled by that config. > >> The sshd_flags variable in rc.conf is what controls "used with". For > >> example, on my installs, I only want to use the ECDSA key and not > >> present any other protocol v2 keys to clients, thereby restricting it > >> to ECDSA. The only way to go about this is to set the following: > >> sshd_flags="-h /etc/ssh/ssh_host_ecdsa_key" > >> Take a look at sshd(8), specifically the -h option for clarification. > > > > Aha, multiple options to accomplish the same thing. > > > > HostKey /etc/ssh/ssh_host_ecdsa_key > > > > in sshd_config should accomplish the same, shouldn't it? I'd really > > prefer that to a command line option. > > And vice versa. Let's say you only uncomment the line for RSA keys in > sshd_config. Your server will still present the ECDSA key to clients > that understand it. Try: HostKey /usr/local/etc/ssh/ssh_host_rsa_key HostKey /dev/null HostKey none -- - (2^(N-1))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120625161445.GB85086>