You are not logged in.
- Topics: Active | Unanswered
#1 2015-11-21 19:59:23
- maggie
- Member
- Registered: 2011-02-12
- Posts: 255
openssh generates 4 different types of host key but I only want 1 type
I am hardening my sshd and the recommendation is to use only ed25519 and rsa style keys. I can't make sshd only keep them; it regenerates the other styles even when I delete them and uncomment the following lines in sshd_config. What is the trick to disabling the other two?
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_keyOffline
#2 2015-11-21 20:12:00
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,696
- Website
Re: openssh generates 4 different types of host key but I only want 1 type
See /usr/lib/systemd/system/sshdgenkeys.service ... looks like if any key is not on the file system it runs with the `ssh-keygen -A` which generates all 4 of them. Without masking this service or edited it, I don't see how to accomplish what you want.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
#3 2015-11-22 00:43:35
- Leonid.I
- Member
- From: Aethyr
- Registered: 2009-03-22
- Posts: 999
Re: openssh generates 4 different types of host key but I only want 1 type
So... touch /etc/ssh/ssh_host_{dsa,ecdsa}_key and same for *pub? This will keep sshdgenkeys.service happy and with the proper sshd_config, these empty keys will never be used...
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline