Bug 209948 - security/openssh-portable: Missing rc.conf options defining which keys to generate on startup.
Summary: security/openssh-portable: Missing rc.conf options defining which keys to gen...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Bryan Drewery
URL:
Keywords: needs-patch
Depends on:
Blocks:
 
Reported: 2016-06-01 21:47 UTC by Lordgordon
Modified: 2022-03-03 19:37 UTC (History)
1 user (show)

See Also:
vlad-fbsd: maintainer-feedback+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lordgordon 2016-06-01 21:47:32 UTC 
The base OpenSSH rc.d script has a nice undocumented set of options that easily allow to disable the automatic creation of undesired, and possibly outdated, keys.

Those options are: sshd_rsa1_enable, sshd_rsa_enable, sshd_dsa_enable, sshd_ecdsa_enable, sshd_ed25519_enable

Reference: https://svnweb.freebsd.org/base/release/10.3.0/etc/rc.d/sshd?view=markup

It's possible to port those options in openssh-portable too? I think they are useful to avoid useless files and to increase the clarity of the overall configuration of a system.

For information, a simple workaround I found is to pre-create the empty files for the keys I don't want to be created. This works thanks to bug #202792.

As a final remark, the abovementioned options are quite undocumented in the system (not in the man pages). Could be nice to document them.

Thank for your support.

Best Regards,

Nicholas
Comment 1 Bryan Drewery freebsd_committer freebsd_triage 2016-06-01 21:52:07 UTC 
I don't have time to do it soon, but I'll gladly take a patch.  Otherwise I can add this in a few weeks.
Comment 2 Walter Schwarzenfeld freebsd_triage 2018-01-09 00:59:29 UTC 
Is still not in:
: ${sshd_rsa1_enable:="yes"}
: ${sshd_rsa_enable:="yes"}
: ${sshd_dsa_enable:="yes"}
: ${sshd_ecdsa_enable:="yes"}
: ${sshd_ed25519_enable:="yes"}

but it is the question if this is stil wanted?.
Comment 3 Lordgordon 2018-01-10 16:47:19 UTC 
(In reply to w.schwarzenfeld from comment #2)

Regarding the two original requests:

1) support of the options in openssh-portable: yes, I think is still wanted as those options exist for the base OpenSSH build.

2) documentation of the options in man pages and handbook (for base OpenSSH): still undocumented. I think they should be documented somewhere.
Comment 4 commit-hook freebsd_committer freebsd_triage 2022-03-03 19:37:32 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1249b096fa52847f13a956ee0364b2a14c60e9b5

commit 1249b096fa52847f13a956ee0364b2a14c60e9b5
Author:     Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2022-03-03 19:35:43 +0000
Commit:     Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2022-03-03 19:37:07 +0000

    security/openssh-portable: Tweak new rc var names

    Commit ae66cffc19f357cbd5 added new rc vars to control generating of
    host keys [1].  Rename these to more closely match the base version
    before it becomes widely adopted.

    PR:             202169 [1]
    PR:             209948 [FYI]

 security/openssh-portable/files/openssh.in | 40 +++++++++++++++---------------
 1 file changed, 20 insertions(+), 20 deletions(-)