Index: etc/defaults/rc.conf
===================================================================
--- etc/defaults/rc.conf	(revision 286402)
+++ etc/defaults/rc.conf	(working copy)
@@ -312,6 +312,16 @@
 sshd_enable="NO"		# Enable sshd
 sshd_program="/usr/sbin/sshd"	# path to sshd, if you want a different one.
 sshd_flags=""			# Additional flags for sshd.
+sshd_rsa1_keygen_enable="YES"	# Generate an rsa1 key when starting sshd if missing from /etc/sshd.
+sshd_rsa1_keygen_flags=""	# Flags to ssh-keygen for rsa1 key when first created.
+sshd_rsa_keygen_enable="YES"	# Generate an rsa key when starting sshd if missing from /etc/sshd.
+sshd_rsa_keygen_flags=""	# Flags to ssh-keygen for rsa key when first created.
+sshd_dsa_keygen_enable="YES"	# Generate a dsa key when starting sshd if missing from /etc/sshd.
+sshd_dsa_keygen_flags=""	# Flags to ssh-keygen for dsa key when first created.
+sshd_ecdsa_keygen_enable="YES"	# Generate an ecdsa key when starting sshd if missing from /etc/sshd. 
+sshd_ecdsa_keygen_flags=""	# Flags to ssh-keygen for ecdsa key when first created.
+sshd_ed25519_keygen_enable="YES" # Generate an ed25519 key when starting sshd if missing from /etc/sshd.
+sshd_ed25519_keygen_flags=""	# Flags to ssh-keygen for ed25519 key when first created.
 ftpd_enable="NO"		# Enable stand-alone ftpd.
 ftpd_program="/usr/libexec/ftpd" # Path to ftpd, if you want a different one.
 ftpd_flags=""			# Additional flags to stand-alone ftpd.
Index: etc/rc.d/sshd
===================================================================
--- etc/rc.d/sshd	(revision 286402)
+++ etc/rc.d/sshd	(working copy)
@@ -20,11 +20,19 @@
 pidfile="/var/run/${name}.pid"
 extra_commands="configtest keygen reload"
 
-: ${sshd_rsa1_enable:="yes"}
-: ${sshd_rsa_enable:="yes"}
-: ${sshd_dsa_enable:="yes"}
-: ${sshd_ecdsa_enable:="yes"}
-: ${sshd_ed25519_enable:="yes"}
+if [ -n "$sshd_rsa1_enable" -o \
+	-n "$sshd_rsa_enable" -o \
+	-n "$sshd_dsa_enable" -o \
+	-n "$sshd_ecdsa_enable" -o \
+	-n "$sshd_ed25519_enable" ]
+then 
+	warn "sshd_*_enable is deprecated, consider using sshd_*_keygen_enable for clarity."
+fi
+: ${sshd_rsa1_keygen_enable:="${sshd_rsa1_enable:-yes}"}
+: ${sshd_rsa_keygen_enable:="${sshd_rsa_enable:-yes}"}
+: ${sshd_dsa_keygen_enable:="${sshd_dsa_enable:-yes}"}
+: ${sshd_ecdsa_keygen_enable:="${sshd_ecdsa_enable:-yes}"}
+: ${sshd_ed25519_keygen_enable:="${sshd_ed25519_enable:-yes}"}
 
 sshd_keygen_alg()
 {
@@ -32,7 +40,7 @@
 	local ALG="$(echo $alg | tr a-z A-Z)"
 	local keyfile
 
-	if ! checkyesno "sshd_${alg}_enable" ; then
+	if ! checkyesno "sshd_${alg}_keygen_enable" ; then
 		return 0
 	fi
 
@@ -56,8 +64,9 @@
 	if [ -f "${keyfile}" ] ; then
 		info "$ALG host key exists."
 	else
+		eval keygen_flags=\$sshd_${alg}_keygen_flags
 		echo "Generating $ALG host key."
-		/usr/bin/ssh-keygen -q -t $alg -f "$keyfile" -N ""
+		/usr/bin/ssh-keygen -q -t $alg -f "$keyfile" $keygen_flags -N ""
 		/usr/bin/ssh-keygen -l -f "$keyfile.pub"
 	fi
 }