On Wed, Mar 11, 2015 at 11:13:20PM +0000, Christian Weisgerber wrote: > On 2015-03-10, John Long <codeb...@inbox.lv> wrote:
> > But /etc/rc appears to generate all missing key types every > > startup. > > Only if you delete them! Yes, that's what I said. > You can simply configure HostKey in /etc/ssh/sshd_config. As soon > as you set it to any value, the complete defaults are gone. For > instance, if there are no further HostKey statements, > > HostKey /etc/ssh/ssh_host_ed25519_key > > will make the server only load that Ed25519 key. No ECDSA, RSA, > or DSA. Try it. With that done a client can still do pubkey auth with a DSA key. (How) can I stop sshd from accepting client keys a user might include in ~/.ssh/authorized_keys other than RSA keys? > > What problems do I cause by commenting out the ssh-keygen? > > Well, you would be making a change you obviously don't understand. Well, I think it's obvious I'm open to that possibility or I wouldn't have asked the question in the first place. Given I do understand that if ssh-keygen -A isn't run at startup none of the keys I deleted will come back, and given that's what I really want even if new ciphers get added in the future, are there any other issues to be aware of regarding removing ssh-keygen -A from the startup? /jl -- ASCII ribbon campaign ( ) Powered by Lemote Fuloong against HTML e-mail X Loongson MIPS and OpenBSD and proprietary / \ http://www.mutt.org attachments / \ Code Blue or Go Home! Encrypted email preferred PGP Key 2048R/DA65BC04
