Date: Fri, 26 Jul 2002 14:52:49 +0100 From: Tony Finch <dot@dotat.at> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Tony Finch <dot@dotat.at>, freebsd-security@freebsd.org Subject: Re: ssh host key inconsistency Message-ID: <20020726145249.B7551@chiark.greenend.org.uk> In-Reply-To: <xzpd6tamynf.fsf@flood.ping.uio.no>; from des@ofug.org on Fri, Jul 26, 2002 at 03:01:08PM %2B0200 References: <20020726135837.A7551@chiark.greenend.org.uk> <xzpd6tamynf.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 26, 2002 at 03:01:08PM +0200, Dag-Erling Smorgrav wrote: > Tony Finch <dot@dotat.at> writes: > > I note that rc.network is now creating ssh host keys in both DSA and > > RSA forms, but our sshd is only using the DSA key. Shall I commit this > > patch which reverts one of our local changes? > > No, we intentionally do not use the RSA host key by default. In that case, how about this? (And what is the reasoning for not using both the RSA and DSA keys?) Tony. -- f.a.n.finch <dot@dotat.at> http://dotat.at/ ROCKALL: WEST OR SOUTHWEST BECOMING CYCLONIC 3 OR 4, OCCASIONALLY 5 IN SOUTHEAST LATER. RAIN OR DRIZZLE. MODERATE WITH FOG PATCHES. --- sshd.8 3 Jul 2002 22:11:44 -0000 1.5.2.8 +++ sshd.8 26 Jul 2002 13:29:37 -0000 @@ -217,8 +217,6 @@ The default is .Pa /etc/ssh/ssh_host_key for protocol version 1, and -.Pa /etc/ssh/ssh_host_rsa_key -and .Pa /etc/ssh/ssh_host_dsa_key for protocol version 2. It is possible to have multiple host key files for @@ -562,14 +560,14 @@ .Nm sshd . The file format and configuration options are described in .Xr sshd_config 5 . -.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key +.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key These three files contain the private parts of the host keys. These files should only be owned by root, readable only by root, and not accessible to others. Note that .Nm does not start if this file is group/world-accessible. -.It Pa /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub +.It Pa /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub These three files contain the public parts of the host keys. These files should be world-readable but writable only by root. --- sshd_config 3 Jul 2002 22:11:44 -0000 1.4.2.9 +++ sshd_config 26 Jul 2002 13:30:05 -0000 @@ -24,7 +24,6 @@ # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key --- sshd_config.5 4 Jul 2002 19:07:11 -0000 1.5.2.2 +++ sshd_config.5 26 Jul 2002 13:29:55 -0000 @@ -240,8 +240,6 @@ The default is .Pa /etc/ssh/ssh_host_key for protocol version 1, and -.Pa /etc/ssh/ssh_host_rsa_key -and .Pa /etc/ssh/ssh_host_dsa_key for protocol version 2. Note that To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020726145249.B7551>