diff options
| author | Colin Watson <cjwatson@debian.org> | 2017-01-16 13:53:04 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2017-01-16 13:56:42 +0000 |
| commit | 79d4110c92f82de854b10b2d96df9daaaaeaec3a (patch) | |
| tree | c14dd6894c35ef3964b2d0ca3107c5b2c2e1eb66 | |
| parent | e346421ca6852fbf9f95cf0e764ecc345e5ce21d (diff) | |
Remove ssh_host_dsa_key from HostKey default
The client no longer accepts DSA host keys, and servers using the
default HostKey setting should have better host keys available.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662
Bug-Debian: https://bugs.debian.org/850614
Last-Update: 2017-01-16
Patch-Name: no-dsa-host-key-by-default.patch
| -rw-r--r-- | servconf.c | 2 | ||||
| -rw-r--r-- | sshd.8 | 7 | ||||
| -rw-r--r-- | sshd_config | 1 | ||||
| -rw-r--r-- | sshd_config.5 | 7 |
4 files changed, 6 insertions, 11 deletions
diff --git a/servconf.c b/servconf.c index 1cee3d6c2..202c45066 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -204,8 +204,6 @@ fill_default_server_options(ServerOptions *options) | |||
| 204 | /* fill default hostkeys for protocols */ | 204 | /* fill default hostkeys for protocols */ |
| 205 | options->host_key_files[options->num_host_key_files++] = | 205 | options->host_key_files[options->num_host_key_files++] = |
| 206 | _PATH_HOST_RSA_KEY_FILE; | 206 | _PATH_HOST_RSA_KEY_FILE; |
| 207 | options->host_key_files[options->num_host_key_files++] = | ||
| 208 | _PATH_HOST_DSA_KEY_FILE; | ||
| 209 | #ifdef OPENSSL_HAS_ECC | 207 | #ifdef OPENSSL_HAS_ECC |
| 210 | options->host_key_files[options->num_host_key_files++] = | 208 | options->host_key_files[options->num_host_key_files++] = |
| 211 | _PATH_HOST_ECDSA_KEY_FILE; | 209 | _PATH_HOST_ECDSA_KEY_FILE; |
| @@ -167,11 +167,10 @@ This option must be given if | |||
| 167 | is not run as root (as the normal | 167 | is not run as root (as the normal |
| 168 | host key files are normally not readable by anyone but root). | 168 | host key files are normally not readable by anyone but root). |
| 169 | The default is | 169 | The default is |
| 170 | .Pa /etc/ssh/ssh_host_dsa_key , | 170 | .Pa /etc/ssh/ssh_host_rsa_key , |
| 171 | .Pa /etc/ssh/ssh_host_ecdsa_key , | 171 | .Pa /etc/ssh/ssh_host_ecdsa_key |
| 172 | .Pa /etc/ssh/ssh_host_ed25519_key | ||
| 173 | and | 172 | and |
| 174 | .Pa /etc/ssh/ssh_host_rsa_key . | 173 | .Pa /etc/ssh/ssh_host_ed25519_key . |
| 175 | It is possible to have multiple host key files for | 174 | It is possible to have multiple host key files for |
| 176 | the different host key algorithms. | 175 | the different host key algorithms. |
| 177 | .It Fl i | 176 | .It Fl i |
diff --git a/sshd_config b/sshd_config index 13cbe2c66..4aea6c729 100644 --- a/sshd_config +++ b/sshd_config | |||
| @@ -16,7 +16,6 @@ | |||
| 16 | #ListenAddress :: | 16 | #ListenAddress :: |
| 17 | 17 | ||
| 18 | #HostKey /etc/ssh/ssh_host_rsa_key | 18 | #HostKey /etc/ssh/ssh_host_rsa_key |
| 19 | #HostKey /etc/ssh/ssh_host_dsa_key | ||
| 20 | #HostKey /etc/ssh/ssh_host_ecdsa_key | 19 | #HostKey /etc/ssh/ssh_host_ecdsa_key |
| 21 | #HostKey /etc/ssh/ssh_host_ed25519_key | 20 | #HostKey /etc/ssh/ssh_host_ed25519_key |
| 22 | 21 | ||
diff --git a/sshd_config.5 b/sshd_config.5 index 703a9cddc..8f8fbb66d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -733,11 +733,10 @@ is not to load any certificates. | |||
| 733 | Specifies a file containing a private host key | 733 | Specifies a file containing a private host key |
| 734 | used by SSH. | 734 | used by SSH. |
| 735 | The defaults are | 735 | The defaults are |
| 736 | .Pa /etc/ssh/ssh_host_dsa_key , | 736 | .Pa /etc/ssh/ssh_host_rsa_key , |
| 737 | .Pa /etc/ssh/ssh_host_ecdsa_key , | 737 | .Pa /etc/ssh/ssh_host_ecdsa_key |
| 738 | .Pa /etc/ssh/ssh_host_ed25519_key | ||
| 739 | and | 738 | and |
| 740 | .Pa /etc/ssh/ssh_host_rsa_key . | 739 | .Pa /etc/ssh/ssh_host_ed25519_key . |
| 741 | .Pp | 740 | .Pp |
| 742 | Note that | 741 | Note that |
| 743 | .Xr sshd 8 | 742 | .Xr sshd 8 |