Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[SOLVED] sshd regenerates unwanted ECDSA host key
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
rndusr
Guru
Guru


Joined: 04 Dec 2005
Posts: 392
PostPosted: Sat Aug 05, 2023 6:51 pm    Post subject: [SOLVED] sshd regenerates unwanted ECDSA host key Reply with quote
I have changed my config for sshd to only present host keys of types ED25519 and RSA to clients using appropriate lines in /etc/ssh/sshd_config.d/10_local_settings.conf, and I have verified (using ssh -v user@host) that those are indeed the only host keys being presented to the client. This works as expected, and I'm happy.

One annoyance, however, is that sshd insists that there must be keys /etc/ssh/ssh_host_ecdsa_key{,.pub}, and it regenerates them at startup if they are not present. How can I prevent this?
_________________
If you've got nothing nice to say, you're probably not alone...

Last edited by rndusr on Sat Aug 05, 2023 7:21 pm; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 21918
PostPosted: Sat Aug 05, 2023 7:11 pm    Post subject: Reply with quote
At startup, /etc/init.d/sshd runs ssh-keygen -A. Per man ssh-keygen:
Code:
     -A      Generate host keys of all default key types (rsa, ecdsa, and
             ed25519) if they do not already exist.
I see nothing in the manual page suggesting a way not to generate these. You could patch the init script not to generate any keys, since you already have the keys you need. Passing -t rsa seems not to disable ecdsa keys.
Back to top
View user's profile Send private message
rndusr
Guru
Guru


Joined: 04 Dec 2005
Posts: 392
PostPosted: Sat Aug 05, 2023 7:21 pm    Post subject: Reply with quote
Thanks a lot, commenting out that line in /etc/init.d/sshd did the trick! I guess I'll craft a user patch for that so it won't be reverted next time openssh is remerged.
_________________
If you've got nothing nice to say, you're probably not alone...
Back to top
View user's profile Send private message
kolibri
n00b
n00b


Joined: 27 Jul 2023
Posts: 27
Location: Boizenburg, Germany
PostPosted: Sun Aug 06, 2023 9:26 pm    Post subject: Reply with quote
Another trick, so you don't need to modify/patch the init script:
Code:
echo "" > /etc/ssh/ssh_host_ecdsa


important: that file must be greater than 0 bytes, else it will be overwritten again.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy