From 933935ce8d093996c34d7efa4d59113163080680 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 3 Jul 2015 03:49:45 +0000 Subject: upstream commit refuse to generate or accept RSA keys smaller than 1024 bits; feedback and ok dtucker@ Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba --- sshd.8 | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) (limited to 'sshd.8') diff --git a/sshd.8 b/sshd.8 index dcf20f0ea..213b5fc43 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.279 2015/05/01 07:11:47 djm Exp $ -.Dd $Mdocdate: May 1 2015 $ +.\" $OpenBSD: sshd.8,v 1.280 2015/07/03 03:49:45 djm Exp $ +.Dd $Mdocdate: July 3 2015 $ .Dt SSHD 8 .Os .Sh NAME @@ -184,15 +184,12 @@ Specifies that .Nm is being run from .Xr inetd 8 . +If SSH protocol 1 is enabled, .Nm -is normally not run +should not normally be run from inetd because it needs to generate the server key before it can -respond to the client, and this may take tens of seconds. -Clients would have to wait too long if the key was regenerated every time. -However, with small key sizes (e.g. 512) using -.Nm -from inetd may -be feasible. +respond to the client, and this may take some time. +Clients may have to wait too long if the key was regenerated every time. .It Fl k Ar key_gen_time Specifies how often the ephemeral protocol version 1 server key is regenerated (default 3600 seconds, or one hour). @@ -287,7 +284,7 @@ used to identify the host. .Pp Forward security for protocol 1 is provided through an additional server key, -normally 768 bits, +normally 1024 bits, generated when the server starts. This key is normally regenerated every hour if it has been used, and is never stored on disk. -- cgit v1.2.3