On 03/10/15 15:50, John Long wrote:
Hi,
What's the reason for generating all the various SSH key types every
startup? Given the source of all the new elliptical crypto I don't want to
use it so I changed the cipher list in sshd_config. But /etc/rc appears to
generate all missing key types every startup.
What problems do I cause by commenting out the ssh-keygen?
The reason for generating keys at first boot is because they are
supported and thus needed to exist. The reason for regenerating missing
keys is if a key isn't generated properly (i.e., someone wondered why
their slow machine was "hung" and hit CTRL-C), is to restore expected
functionality.
As for your last question, if you have to ask, just don't, as you will
be clueless to fix the problems YOU created in the future when something
doesn't go as you expect it to go. I'm not going to speculate on what
future operation might break due to your fiddling with knobs, but I will
remind you that I assume your REAL goal isn't to get something up and
running, but rather to set up a long-time tool.
As for the general premise of thinking you know more than the OpenSSH
developers...I just have memories of certain Debian devs who thought the
same thing once ... Crypto is hard, have some trust in the
professionals, or you will probably create far bigger security problems.
Nick.
