From owner-freebsd-security Fri Jul 26 6:52:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C0B337B400 for ; Fri, 26 Jul 2002 06:52:51 -0700 (PDT) Received: from chiark.greenend.org.uk (chiark.greenend.org.uk [212.135.138.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21D4D43E31 for ; Fri, 26 Jul 2002 06:52:50 -0700 (PDT) (envelope-from fanf@chiark.greenend.org.uk) Received: from fanf by chiark.greenend.org.uk with local (Exim 3.12 #1) id 17Y5WT-0008G6-00 (Debian); Fri, 26 Jul 2002 14:52:49 +0100 Date: Fri, 26 Jul 2002 14:52:49 +0100 From: Tony Finch To: Dag-Erling Smorgrav Cc: Tony Finch , freebsd-security@freebsd.org Subject: Re: ssh host key inconsistency Message-ID: <20020726145249.B7551@chiark.greenend.org.uk> References: <20020726135837.A7551@chiark.greenend.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Fri, Jul 26, 2002 at 03:01:08PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jul 26, 2002 at 03:01:08PM +0200, Dag-Erling Smorgrav wrote: > Tony Finch writes: > > I note that rc.network is now creating ssh host keys in both DSA and > > RSA forms, but our sshd is only using the DSA key. Shall I commit this > > patch which reverts one of our local changes? > > No, we intentionally do not use the RSA host key by default. In that case, how about this? (And what is the reasoning for not using both the RSA and DSA keys?) Tony. -- f.a.n.finch http://dotat.at/ ROCKALL: WEST OR SOUTHWEST BECOMING CYCLONIC 3 OR 4, OCCASIONALLY 5 IN SOUTHEAST LATER. RAIN OR DRIZZLE. MODERATE WITH FOG PATCHES. --- sshd.8 3 Jul 2002 22:11:44 -0000 1.5.2.8 +++ sshd.8 26 Jul 2002 13:29:37 -0000 @@ -217,8 +217,6 @@ The default is .Pa /etc/ssh/ssh_host_key for protocol version 1, and -.Pa /etc/ssh/ssh_host_rsa_key -and .Pa /etc/ssh/ssh_host_dsa_key for protocol version 2. It is possible to have multiple host key files for @@ -562,14 +560,14 @@ .Nm sshd . The file format and configuration options are described in .Xr sshd_config 5 . -.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key +.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key These three files contain the private parts of the host keys. These files should only be owned by root, readable only by root, and not accessible to others. Note that .Nm does not start if this file is group/world-accessible. -.It Pa /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub +.It Pa /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub These three files contain the public parts of the host keys. These files should be world-readable but writable only by root. --- sshd_config 3 Jul 2002 22:11:44 -0000 1.4.2.9 +++ sshd_config 26 Jul 2002 13:30:05 -0000 @@ -24,7 +24,6 @@ # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key --- sshd_config.5 4 Jul 2002 19:07:11 -0000 1.5.2.2 +++ sshd_config.5 26 Jul 2002 13:29:55 -0000 @@ -240,8 +240,6 @@ The default is .Pa /etc/ssh/ssh_host_key for protocol version 1, and -.Pa /etc/ssh/ssh_host_rsa_key -and .Pa /etc/ssh/ssh_host_dsa_key for protocol version 2. Note that To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message