diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2015-07-03 03:49:45 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-07-15 15:36:02 +1000 |
| commit | 933935ce8d093996c34d7efa4d59113163080680 (patch) | |
| tree | 7c2df1bfff8ab967e52436d649a420fc20ba80c6 /sshd.8 | |
| parent | bdfd29f60b74f3e678297269dc6247a5699583c1 (diff) | |
upstream commit
refuse to generate or accept RSA keys smaller than 1024
bits; feedback and ok dtucker@
Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
Diffstat (limited to 'sshd.8')
| -rw-r--r-- | sshd.8 | 17 |
1 files changed, 7 insertions, 10 deletions
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: sshd.8,v 1.279 2015/05/01 07:11:47 djm Exp $ | 36 | .\" $OpenBSD: sshd.8,v 1.280 2015/07/03 03:49:45 djm Exp $ |
| 37 | .Dd $Mdocdate: May 1 2015 $ | 37 | .Dd $Mdocdate: July 3 2015 $ |
| 38 | .Dt SSHD 8 | 38 | .Dt SSHD 8 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -184,15 +184,12 @@ Specifies that | |||
| 184 | .Nm | 184 | .Nm |
| 185 | is being run from | 185 | is being run from |
| 186 | .Xr inetd 8 . | 186 | .Xr inetd 8 . |
| 187 | If SSH protocol 1 is enabled, | ||
| 187 | .Nm | 188 | .Nm |
| 188 | is normally not run | 189 | should not normally be run |
| 189 | from inetd because it needs to generate the server key before it can | 190 | from inetd because it needs to generate the server key before it can |
| 190 | respond to the client, and this may take tens of seconds. | 191 | respond to the client, and this may take some time. |
| 191 | Clients would have to wait too long if the key was regenerated every time. | 192 | Clients may have to wait too long if the key was regenerated every time. |
| 192 | However, with small key sizes (e.g. 512) using | ||
| 193 | .Nm | ||
| 194 | from inetd may | ||
| 195 | be feasible. | ||
| 196 | .It Fl k Ar key_gen_time | 193 | .It Fl k Ar key_gen_time |
| 197 | Specifies how often the ephemeral protocol version 1 server key is | 194 | Specifies how often the ephemeral protocol version 1 server key is |
| 198 | regenerated (default 3600 seconds, or one hour). | 195 | regenerated (default 3600 seconds, or one hour). |
| @@ -287,7 +284,7 @@ used to identify the host. | |||
| 287 | .Pp | 284 | .Pp |
| 288 | Forward security for protocol 1 is provided through | 285 | Forward security for protocol 1 is provided through |
| 289 | an additional server key, | 286 | an additional server key, |
| 290 | normally 768 bits, | 287 | normally 1024 bits, |
| 291 | generated when the server starts. | 288 | generated when the server starts. |
| 292 | This key is normally regenerated every hour if it has been used, and | 289 | This key is normally regenerated every hour if it has been used, and |
| 293 | is never stored on disk. | 290 | is never stored on disk. |