Bug 19431

Summary: rc.network wants to generate unsupported DSA key for SSH
Product: Base System Reporter: Gregory Bond <gnb>
Component: confAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.0-STABLE   
Hardware: Any   
OS: Any   

Description Gregory Bond 2000-06-22 05:30:00 UTC 
If enable_sshd is set in rc.conf, then rc.network will check if the 
host keys are present, and create them if not.  It tries to create
two host keys, an ordinary one and a DSA one.

My ssh-keygen (build from a buildworld with the international 
crypto source but no other known tweaks) doesn't have the required 
-d option for generating DSA keys.  This makes the boot give 
somewhat odd error messages.

Fix: 

I don't know whether this is a simple bug in rc.network (in which case
the fix is simple), or if DSA is supported in the US version but not the
international version (which seems more likely).  In the latter case,
rc.network needs to be more careful about what it attempts to do.  
Should it grep USA_RESIDENT out of make.conf?  This is ugly, but I can't 
think of anything less ugly!
How-To-Repeat: 
make update && make world && reboot
Comment 1 dwmalone 2000-06-22 06:59:32 UTC 
On Thu, Jun 22, 2000 at 02:24:33PM +1000, Gregory Bond wrote:

> I don't know whether this is a simple bug in rc.network (in which case
> the fix is simple), or if DSA is supported in the US version but not the
> international version (which seems more likely).  In the latter case,
> rc.network needs to be more careful about what it attempts to do.  
> Should it grep USA_RESIDENT out of make.conf?  This is ugly, but I can't 
> think of anything less ugly!

I'm building from international crypto sources here, cvsuped indirectly
from cvsup.uk.FreeBSD.org and it built a DSA key fine. "ssh-keygen -d"
still seems to work too. Are you sure you have recent crypto sources?

(DSA is actually more likely to be exported from the US than RSA. DSA
is designed as a signature algorithm and was designed to be difficult
to use for encryption. It is possible to use it for encryption tough,
just not as easy as RSA).

	David.
Comment 2 Gregory Bond 2000-06-26 08:53:20 UTC 
Grrr.  Mea Culpa.

Further investigation has shown that the problem was a stale CVS archive caused
by the fact that cvsup.internat.freebsd.org has been uncontactable for the last
few weeks.....  I've reset to cvsup.dk.freebsd.org and now have a version of
ssh-keygen with the required -d option.

This PR can be closed.
Comment 3 alex freebsd_committer freebsd_triage 2000-06-26 09:27:19 UTC 
State Changed
From-To: open->closed

Closed on originator's request.