Now that SSHv1 is gone is should also go away from the places where host keys are generated. Greetings, Eike -- Rolf Eike Beer, emlix GmbH, http://www.emlix.com Fon +49 551 30664-0, Fax +49 551 30664-11 Bertha-von-Suttner-Str. 9, 37085 Göttingen, Germany Sitz der Gesellschaft: Göttingen, Amtsgericht Göttingen HR B 3160 Geschäftsführung: Heike Jordan, Dr. Uwe Kracke – Ust-IdNr.: DE 205 198 055 emlix – smart embedded open source
>From ea3c2b90c31011b53768fea689d5316e4a61a3c1 Mon Sep 17 00:00:00 2001 From: Rolf Eike Beer <eb@xxxxxxxxx> Date: Thu, 12 Oct 2017 11:39:47 +0200 Subject: [PATCH 3/3] remove creation of RSA1 host keys from scripts --- Makefile.in | 3 --- contrib/redhat/sshd.init | 1 - contrib/redhat/sshd.init.old | 17 ----------------- opensshd.init.in | 4 ---- 4 files changed, 25 deletions(-) diff --git a/Makefile.in b/Makefile.in index 379d378c..6ce95c61 100644 --- a/Makefile.in +++ b/Makefile.in @@ -373,9 +373,6 @@ host-key: ssh-keygen$(EXEEXT) fi host-key-force: ssh-keygen$(EXEEXT) ssh$(EXEEXT) - if ./ssh -Q protocol-version | grep '^1$$' >/dev/null; then \ - ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""; \ - fi ./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N "" ./ssh-keygen -t ed25519 -f $(DESTDIR)$(sysconfdir)/ssh_host_ed25519_key -N "" diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init index 40c8dfd9..8ee5fcd3 100755 --- a/contrib/redhat/sshd.init +++ b/contrib/redhat/sshd.init @@ -40,7 +40,6 @@ start() # Create keys if necessary /usr/bin/ssh-keygen -A if [ -x /sbin/restorecon ]; then - /sbin/restorecon /etc/ssh/ssh_host_key.pub /sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub /sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub /sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub diff --git a/contrib/redhat/sshd.init.old b/contrib/redhat/sshd.init.old index 0deb6080..8a30f7da 100755 --- a/contrib/redhat/sshd.init.old +++ b/contrib/redhat/sshd.init.old @@ -24,7 +24,6 @@ prog="sshd" # Some functions to make the below more readable KEYGEN=/usr/bin/ssh-keygen SSHD=/usr/sbin/sshd -RSA1_KEY=/etc/ssh/ssh_host_key RSA_KEY=/etc/ssh/ssh_host_rsa_key DSA_KEY=/etc/ssh/ssh_host_dsa_key PID_FILE=/var/run/sshd.pid @@ -61,21 +60,6 @@ my_failure() { ;; esac } -do_rsa1_keygen() { - if [ ! -s $RSA1_KEY ]; then - echo -n "Generating SSH1 RSA host key: " - if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then - chmod 600 $RSA1_KEY - chmod 644 $RSA1_KEY.pub - my_success "RSA1 key generation" - echo - else - my_failure "RSA1 key generation" - echo - exit 1 - fi - fi -} do_rsa_keygen() { if [ ! -s $RSA_KEY ]; then echo -n "Generating SSH2 RSA host key: " @@ -119,7 +103,6 @@ do_restart_sanity_check() { case "$1" in start) # Create keys if necessary - do_rsa1_keygen; do_rsa_keygen; do_dsa_keygen; diff --git a/opensshd.init.in b/opensshd.init.in index 3908566b..99e5a51a 100755 --- a/opensshd.init.in +++ b/opensshd.init.in @@ -17,7 +17,6 @@ PIDFILE=$piddir/sshd.pid PidFile=`grep "^PidFile" ${sysconfdir}/sshd_config | tr "=" " " | awk '{print $2}'` [ X$PidFile = X ] || PIDFILE=$PidFile SSH_KEYGEN=$prefix/bin/ssh-keygen -HOST_KEY_RSA1=$sysconfdir/ssh_host_key HOST_KEY_DSA=$sysconfdir/ssh_host_dsa_key HOST_KEY_RSA=$sysconfdir/ssh_host_rsa_key @COMMENT_OUT_ECC@HOST_KEY_ECDSA=$sysconfdir/ssh_host_ecdsa_key @@ -25,9 +24,6 @@ HOST_KEY_ED25519=$sysconfdir/ssh_host_ed25519_key checkkeys() { -@COMMENT_OUT_RSA1@ if [ ! -f $HOST_KEY_RSA1 ]; then -@COMMENT_OUT_RSA1@ ${SSH_KEYGEN} -t rsa1 -f ${HOST_KEY_RSA1} -N "" -@COMMENT_OUT_RSA1@ fi if [ ! -f $HOST_KEY_DSA ]; then ${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N "" fi -- 2.14.2
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev