Bug 209948 - security/openssh-portable: Missing rc.conf options defining which keys to generate on startup.
Summary: security/openssh-portable: Missing rc.conf options defining which keys to gen...
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Bryan Drewery
Keywords: needs-patch
Depends on:
Reported: 2016-06-01 21:47 UTC by Lordgordon
Modified: 2018-01-10 16:47 UTC (History)
1 user (show)

See Also:
vlad-fbsd: maintainer-feedback+


Note You need to log in before you can comment on or make changes to this bug.
Description Lordgordon 2016-06-01 21:47:32 UTC
The base OpenSSH rc.d script has a nice undocumented set of options that easily allow to disable the automatic creation of undesired, and possibly outdated, keys.

Those options are: sshd_rsa1_enable, sshd_rsa_enable, sshd_dsa_enable, sshd_ecdsa_enable, sshd_ed25519_enable

Reference: https://svnweb.freebsd.org/base/release/10.3.0/etc/rc.d/sshd?view=markup

It's possible to port those options in openssh-portable too? I think they are useful to avoid useless files and to increase the clarity of the overall configuration of a system.

For information, a simple workaround I found is to pre-create the empty files for the keys I don't want to be created. This works thanks to bug #202792.

As a final remark, the abovementioned options are quite undocumented in the system (not in the man pages). Could be nice to document them.

Thank for your support.

Best Regards,

Comment 1 Bryan Drewery freebsd_committer 2016-06-01 21:52:07 UTC
I don't have time to do it soon, but I'll gladly take a patch.  Otherwise I can add this in a few weeks.
Comment 2 Walter Schwarzenfeld freebsd_triage 2018-01-09 00:59:29 UTC
Is still not in:
: ${sshd_rsa1_enable:="yes"}
: ${sshd_rsa_enable:="yes"}
: ${sshd_dsa_enable:="yes"}
: ${sshd_ecdsa_enable:="yes"}
: ${sshd_ed25519_enable:="yes"}

but it is the question if this is stil wanted?.
Comment 3 Lordgordon 2018-01-10 16:47:19 UTC
(In reply to w.schwarzenfeld from comment #2)

Regarding the two original requests:

1) support of the options in openssh-portable: yes, I think is still wanted as those options exist for the base OpenSSH build.

2) documentation of the options in man pages and handbook (for base OpenSSH): still undocumented. I think they should be documented somewhere.