On 2015-03-10, John Long <[email protected]> wrote: > What's the reason for generating all the various SSH key types every > startup?
The idea is to generate keys (1) the very first time the machine boots and (2) when a new algorithm is added. > Given the source of all the new elliptical crypto I don't want to > use it so I changed the cipher list in sshd_config. For starters, Ed25519 is elliptical curve crypto, but not from the NSA. And regarding ECDSA, there's an argument to be made that it's a far better choice than RSA (and DSA). > But /etc/rc appears to generate all missing key types every > startup. Only if you delete them! You can simply configure HostKey in /etc/ssh/sshd_config. As soon as you set it to any value, the complete defaults are gone. For instance, if there are no further HostKey statements, HostKey /etc/ssh/ssh_host_ed25519_key will make the server only load that Ed25519 key. No ECDSA, RSA, or DSA. Try it. > What problems do I cause by commenting out the ssh-keygen? Well, you would be making a change you obviously don't understand. -- Christian "naddy" Weisgerber [email protected]
