summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2017-01-16 13:53:04 +0000
committerColin Watson <cjwatson@debian.org>2017-03-29 15:32:34 +0100
commit417f561eac9f391661ad23a27f1d711f56566176 (patch)
tree5c722506f7578027cdd1c1e2454d3cc629d5864a
parentc210daa1ae77904f57478315e75af3f82a5d69f2 (diff)
Remove ssh_host_dsa_key from HostKey default
The client no longer accepts DSA host keys, and servers using the default HostKey setting should have better host keys available. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662 Bug-Debian: https://bugs.debian.org/850614 Last-Update: 2017-01-16 Patch-Name: no-dsa-host-key-by-default.patch
-rw-r--r--servconf.c2
-rw-r--r--sshd.87
-rw-r--r--sshd_config1
-rw-r--r--sshd_config.57
4 files changed, 6 insertions, 11 deletions
diff --git a/servconf.c b/servconf.c
index a391cf4b2..1a7a5f182 100644
--- a/servconf.c
+++ b/servconf.c
@@ -204,8 +204,6 @@ fill_default_server_options(ServerOptions *options)
204 /* fill default hostkeys for protocols */ 204 /* fill default hostkeys for protocols */
205 options->host_key_files[options->num_host_key_files++] = 205 options->host_key_files[options->num_host_key_files++] =
206 _PATH_HOST_RSA_KEY_FILE; 206 _PATH_HOST_RSA_KEY_FILE;
207 options->host_key_files[options->num_host_key_files++] =
208 _PATH_HOST_DSA_KEY_FILE;
209#ifdef OPENSSL_HAS_ECC 207#ifdef OPENSSL_HAS_ECC
210 options->host_key_files[options->num_host_key_files++] = 208 options->host_key_files[options->num_host_key_files++] =
211 _PATH_HOST_ECDSA_KEY_FILE; 209 _PATH_HOST_ECDSA_KEY_FILE;
diff --git a/sshd.8 b/sshd.8
index dd4b8fc3b..79a7e0807 100644
--- a/sshd.8
+++ b/sshd.8
@@ -167,11 +167,10 @@ This option must be given if
167is not run as root (as the normal 167is not run as root (as the normal
168host key files are normally not readable by anyone but root). 168host key files are normally not readable by anyone but root).
169The default is 169The default is
170.Pa /etc/ssh/ssh_host_dsa_key , 170.Pa /etc/ssh/ssh_host_rsa_key ,
171.Pa /etc/ssh/ssh_host_ecdsa_key , 171.Pa /etc/ssh/ssh_host_ecdsa_key
172.Pa /etc/ssh/ssh_host_ed25519_key
173and 172and
174.Pa /etc/ssh/ssh_host_rsa_key . 173.Pa /etc/ssh/ssh_host_ed25519_key .
175It is possible to have multiple host key files for 174It is possible to have multiple host key files for
176the different host key algorithms. 175the different host key algorithms.
177.It Fl i 176.It Fl i
diff --git a/sshd_config b/sshd_config
index f68edf367..928229594 100644
--- a/sshd_config
+++ b/sshd_config
@@ -16,7 +16,6 @@
16#ListenAddress :: 16#ListenAddress ::
17 17
18#HostKey /etc/ssh/ssh_host_rsa_key 18#HostKey /etc/ssh/ssh_host_rsa_key
19#HostKey /etc/ssh/ssh_host_dsa_key
20#HostKey /etc/ssh/ssh_host_ecdsa_key 19#HostKey /etc/ssh/ssh_host_ecdsa_key
21#HostKey /etc/ssh/ssh_host_ed25519_key 20#HostKey /etc/ssh/ssh_host_ed25519_key
22 21
diff --git a/sshd_config.5 b/sshd_config.5
index cc5d9fb0a..0747cc8b5 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -741,11 +741,10 @@ is not to load any certificates.
741Specifies a file containing a private host key 741Specifies a file containing a private host key
742used by SSH. 742used by SSH.
743The defaults are 743The defaults are
744.Pa /etc/ssh/ssh_host_dsa_key , 744.Pa /etc/ssh/ssh_host_rsa_key ,
745.Pa /etc/ssh/ssh_host_ecdsa_key , 745.Pa /etc/ssh/ssh_host_ecdsa_key
746.Pa /etc/ssh/ssh_host_ed25519_key
747and 746and
748.Pa /etc/ssh/ssh_host_rsa_key . 747.Pa /etc/ssh/ssh_host_ed25519_key .
749.Pp 748.Pp
750Note that 749Note that
751.Xr sshd 8 750.Xr sshd 8