Re: Deprecating RSA ssh host keys in 16
- Reply: Christian Weisgerber : "Re: Deprecating RSA ssh host keys in 16"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 25 Sep 2024 20:42:49 UTC
On 9/25/24 13:07, Xin LI wrote:
> On Wed, Sep 25, 2024 at 10:25 AM Dag-Erling Smørgrav <des@freebsd.org
> <mailto:des@freebsd.org>> wrote:
> Oh, and should we perhaps also disable (non-elliptic) DSA host keys?
>
> Yes, please remove the generation of DSA host keys (I thought it was removed
> in 2018 when you imported OpenSSH 7.7, but turns out it's only removed from
> sshd_config).
DSA host key generation was disabled in af8ee1391d08c (August 2016). If you
have DSA host keys I think they will get used, but we don't generate them by
default now.
> For the RSA host key I think deprecating now is fine and we should even remove
> it from the default sshd_config configuration in 15. OpenSSH implemented
> ed25519 support in 6.5 (2014), which is 10 years ago, and ecdsa even earlier
> than that, and for those who really needs it, they can always add it back to
> sshd_config until the upstream have removed the support, which is probably not
> going to happen anytime soon.
The place which controls key generation is /etc/rc.d/sshd:
: ${sshd_rsa_enable:="yes"}
: ${sshd_dsa_enable:="no"}
: ${sshd_ecdsa_enable:="yes"}
: ${sshd_ed25519_enable:="yes"}
and obviously the key-generation behaviour can be changed in /etc/rc.conf.
Colin Percival