On Sun, Jun 24, 2012 at 9:46 PM, Bjoern A. Zeeb <bzeeb-li...@lists.zabbadoz.net> wrote: > > On 24. Jun 2012, at 17:14 , Robert Simmons wrote: > >> On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb >> <bzeeb-li...@lists.zabbadoz.net> wrote: >>> On 24. Jun 2012, at 16:07 , Robert Simmons wrote: >>>> Here is a set of patches that add functionality to rc.conf allowing >>>> users an easy way to control the length of the host keys used with ssh >>>> (specifically RSA and ECDSA used with protocol version 2). >>> >>> Created for, not used with -- right? >> >> Yes, created for. I have updated the patch to reflect this and >> attached the new patch. Good eye, thanks. >> >>> The used with is controlled in sshd_config and if the key is not there >>> but it's enabled in sshd_config you'll get a warning on boot which is >>> very annoying. >> >> No. Actually, "used with" is not controlled in sshd_config. Only the >> path to the key files is controlled by that config. >> The sshd_flags variable in rc.conf is what controls "used with". For >> example, on my installs, I only want to use the ECDSA key and not >> present any other protocol v2 keys to clients, thereby restricting it >> to ECDSA. The only way to go about this is to set the following: >> sshd_flags="-h /etc/ssh/ssh_host_ecdsa_key" >> Take a look at sshd(8), specifically the -h option for clarification. > > Aha, multiple options to accomplish the same thing. > > HostKey /etc/ssh/ssh_host_ecdsa_key > > in sshd_config should accomplish the same, shouldn't it? I'd really > prefer that to a command line option.
And vice versa. Let's say you only uncomment the line for RSA keys in sshd_config. Your server will still present the ECDSA key to clients that understand it. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
