Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 25 Jun 2012 01:46:02 +0000
From:      "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To:        Robert Simmons <rsimmons0@gmail.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Add rc.conf variables to control host key length
Message-ID:  <90EAF0C3-C676-4C20-A981-86FC88BAC29D@lists.zabbadoz.net>
In-Reply-To: <CA%2BQLa9DxE5D5ZeQ6M-FQGRySCGytQ=Qn2ZyNMYuCfSLGV1gdQw@mail.gmail.com>
References:  <CA%2BQLa9CX26xEwRsz3g6FvBBbbFE0Gfw%2BUR6_RHYOXgZFcgCw5w@mail.gmail.com> <4828EFCC-E60A-4961-9228-4A1ADAD28F73@lists.zabbadoz.net> <CA%2BQLa9DxE5D5ZeQ6M-FQGRySCGytQ=Qn2ZyNMYuCfSLGV1gdQw@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail 


On 24. Jun 2012, at 17:14 , Robert Simmons wrote:

> On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb
> <bzeeb-lists@lists.zabbadoz.net> wrote:
>> On 24. Jun 2012, at 16:07 , Robert Simmons wrote:
>>> Here is a set of patches that add functionality to rc.conf allowing
>>> users an easy way to control the length of the host keys used with ssh
>>> (specifically RSA and ECDSA used with protocol version 2).
>> 
>> Created for, not used with -- right?
> 
> Yes, created for.  I have updated the patch to reflect this and
> attached the new patch.  Good eye, thanks.
> 
>> The used with is controlled in sshd_config and if the key is not there
>> but it's enabled in sshd_config you'll get a warning on boot which is
>> very annoying.
> 
> No.  Actually, "used with" is not controlled in sshd_config.  Only the
> path to the key files is controlled by that config.
> The sshd_flags variable in rc.conf is what controls "used with".  For
> example, on my installs, I only want to use the ECDSA key and not
> present any other protocol v2 keys to clients, thereby restricting it
> to ECDSA.  The only way to go about this is to set the following:
> sshd_flags="-h /etc/ssh/ssh_host_ecdsa_key"
> Take a look at sshd(8), specifically the -h option for clarification.

Aha, multiple options to accomplish the same thing.

HostKey /etc/ssh/ssh_host_ecdsa_key

in sshd_config should accomplish the same, shouldn't it?  I'd really
prefer that to a command line option.

/bz

-- 
Bjoern A. Zeeb                                 You have to have visions!
   It does not matter how good you are. It matters what good you do!
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?90EAF0C3-C676-4C20-A981-86FC88BAC29D>