From owner-freebsd-current  Sat Feb 26  1:39: 2 2000
Delivered-To: freebsd-current@freebsd.org
Received: from bg.sics.se (bg.sics.se [193.10.66.124])
	by hub.freebsd.org (Postfix) with ESMTP
	id C51E737BFD0; Sat, 26 Feb 2000 01:38:54 -0800 (PST)
	(envelope-from bg@bg.sics.se)
Received: (from bg@localhost)
	by bg.sics.se (8.9.3/8.9.3) id KAA02738;
	Sat, 26 Feb 2000 10:39:02 +0100 (CET)
	(envelope-from bg)
To: Kris Kennaway <kris@FreeBSD.ORG>, jkh@zippy.cdrom.com
Cc: current@FreeBSD.ORG, markm@FreeBSD.ORG
Subject: Re: OpenSSH /etc patch
References: <Pine.BSF.4.21.0002252328510.71366-100000@freefall.freebsd.org>
From: Bjoern Groenvall <bg@sics.se>
Date: 26 Feb 2000 10:39:01 +0100
In-Reply-To: Kris Kennaway's message of Fri, 25 Feb 2000 23:31:56 -0800 (PST)
Message-ID: <wuvh3cz4ju.fsf@bg.sics.se>
Lines: 42
X-Mailer: Red Gnus v0.52/Emacs 19.34
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Kris Kennaway <kris@FreeBSD.ORG> writes:

> Does this patch fix the problems people are seeing? It also generates the
> hostkey if it doesnt exist.
> 
> Oops, the NO_DESCRYPT line in the /etc/defaults/make.conf patch shouldn't
> be committed yet..I'm still testing that one.
> +# Generate SSH host key, if it doesnt exist. Both sshd and ssh need it
> +# so we do it unconditionally on sshd_enable.
> +#
> +if [ ! -f /etc/ssh/ssh_host_key -a -x /usr/bin/ssh-keygen ]; then
> +	echo 'generating an SSH host key:'
> +	/usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key
> +	echo ' done.'
> +fi
> +

Be careful to only run ssh-keygen if you are confident that the kernel
random number-generator has acquired enough entropy, otherwise you'll
leave the door open for guessing secret keys!

Jordan K. Hubbard <jkh@zippy.cdrom.com> writes:

> > +# Generate SSH host key, if it doesnt exist. Both sshd and ssh need it
> > +# so we do it unconditionally on sshd_enable.
> 
> Are you sure ssh requires a host key?  I could have sworn this was
> entirely related to sshd and could thus be lumped into the same
> "if sshd_enable=YES" clause.

Jordan is right about this, sshd requires the private key but ssh
can't even read the key from the file.

Cheers,
Björn

  _     _                                               ,_______________.  
Bjorn Gronvall (Björn Grönvall)                        /_______________/|     
Swedish Institute of Computer Science                  |               ||
PO Box 1263, S-164 29 Kista, Sweden                    | Schroedingers ||
Email: bg@sics.se, Phone +46 -8 633 15 25              |      Cat      |/
Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30       `---------------' 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message