On Feb 15, 2014 8:06 AM, "Aris Adamantiadis" <a...@0xbadc0de.be> wrote: > > Hi everybody, > > This is also my fault, I worked a lot on server side last year and never > bothered checking if the server was accepting ecdsa keys. > Regarding the API, is there any advantage in adding an option specific > to ECDSA ? > I see there's already SSH_BIND_OPTIONS_HOSTKEY and if we follow > OpenSSH's semantics: > HostKey > Specifies a file containing a private host key used by > SSH. The default is > /etc/ssh/ssh_host_key for protocol version 1, and > /etc/ssh/ssh_host_dsa_key, > /etc/ssh/ssh_host_ecdsa_key and /etc/ssh/ssh_host_rsa_key > for protocol version > 2. Note that sshd(8) will refuse to use a file if it is > group/world-accessi- > ble. It is possible to have multiple host key files. > ``rsa1'' keys are used > for version 1 and ``dsa'', ``ecdsa'' or ``rsa'' are used > for version 2 of the > SSH protocol. > This option should also work with ecdsa, is standard (maps to an openssh > settings) and doesn't require the caller to know the type of key beforehand. > > Aris >
With my last attempt, I had the assumption that, if you had settings for DSA and RSA (with 2), you'd have one for ECDSA as well (which aligns itself with OpenSSH's conventions, as stated above). I think that's the most intuitive. Alan: Thanks so much for submitting the patch. I don't have the familiarity that comes with frequency-of-use, with OpenSSL. Andreas: That's great. Hopefully your comments will take a bite out of the behavior that we're seeing. Dustin
