View previous topic :: View next topic |
Author |
Message |
rndusr Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
![](images/avatars/gallery/BaldursGate/baldursgate2_irenicus.gif)
Joined: 04 Dec 2005 Posts: 392
|
Posted: Sat Aug 05, 2023 6:51 pm Post subject: [SOLVED] sshd regenerates unwanted ECDSA host key |
|
|
I have changed my config for sshd to only present host keys of types ED25519 and RSA to clients using appropriate lines in /etc/ssh/sshd_config.d/10_local_settings.conf, and I have verified (using ssh -v user@host) that those are indeed the only host keys being presented to the client. This works as expected, and I'm happy.
One annoyance, however, is that sshd insists that there must be keys /etc/ssh/ssh_host_ecdsa_key{,.pub}, and it regenerates them at startup if they are not present. How can I prevent this? _________________ If you've got nothing nice to say, you're probably not alone...
Last edited by rndusr on Sat Aug 05, 2023 7:21 pm; edited 1 time in total |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Hu Administrator
![Administrator Administrator](/images/ranks/rank-admin.gif)
Joined: 06 Mar 2007 Posts: 21918
|
Posted: Sat Aug 05, 2023 7:11 pm Post subject: |
|
|
At startup, /etc/init.d/sshd runs ssh-keygen -A. Per man ssh-keygen: Code: | -A Generate host keys of all default key types (rsa, ecdsa, and
ed25519) if they do not already exist. | I see nothing in the manual page suggesting a way not to generate these. You could patch the init script not to generate any keys, since you already have the keys you need. Passing -t rsa seems not to disable ecdsa keys. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
rndusr Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
![](images/avatars/gallery/BaldursGate/baldursgate2_irenicus.gif)
Joined: 04 Dec 2005 Posts: 392
|
Posted: Sat Aug 05, 2023 7:21 pm Post subject: |
|
|
Thanks a lot, commenting out that line in /etc/init.d/sshd did the trick! I guess I'll craft a user patch for that so it won't be reverted next time openssh is remerged. _________________ If you've got nothing nice to say, you're probably not alone... |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
kolibri n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
![](images/avatars/79898639464c2955b90c02.png)
Joined: 27 Jul 2023 Posts: 27 Location: Boizenburg, Germany
|
Posted: Sun Aug 06, 2023 9:26 pm Post subject: |
|
|
Another trick, so you don't need to modify/patch the init script:
Code: | echo "" > /etc/ssh/ssh_host_ecdsa |
important: that file must be greater than 0 bytes, else it will be overwritten again. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
|