Solved Creating of DSA Key in /etc/ssh is disabled?

HL1234 · Feb 23, 2017

Hello,

if I try to recreate the keys for sshd with

/etc/rc.d/sshd keygen
the private key ssh_host_dsa_key and public key ssh_host_dsa_key.pub are not created.

I take a look into the script
/etc/rc.d/sshd
and found

Code:

....
: ${sshd_rsa1_enable:="no"}
: ${sshd_rsa_enable:="yes"}
: ${sshd_dsa_enable:="no"}
: ${sshd_ecdsa_enable:="yes"}
: ${sshd_ed25519_enable:="yes"}

sshd_dsa_enable:="no"

I wonder about this an like to communicate: is this a failure or why is it no more enabled?
Thanks for your reply.

rigoletto@ · Feb 24, 2017

Probably intentional, and for a good.

I am not expert but DSA is insecure/vulnerable.

ANOKNUSA · Feb 24, 2017

It's been disabled in FreeBSD, and support for DSA keys has been removed from OpenSSH upstream. So FreeBSD doesn't automatically create them now, it's recommended not to use them, and eventually using them will be impossible.

ShelLuser · Feb 24, 2017

Apart from the above reactions: why would you want to use the rc.d script for this in the first place? I know it provides the functionality, but that's mainly to create the host keys if they don't already exist. You should be looking for ssh-keygen(1) instead.

pkubaj · Feb 24, 2017

You can manually put:

Code:

sshd_dsa_enable="yes"

to /etc/rc.conf. That should be enough to generate the host key with the script.

ShelLuser · Feb 24, 2017

pkubaj said:
You can manually put:

Code:

sshd_dsa_enable="yes"

to /etc/rc.conf. That should be enough to generate the host key with the script.

~~That is very bad advice.~~

The main problem is editing system files; the moment you upgrade your system then those changes are most likely getting wiped out. One could argue that you can redo those changes later but the problem is this: how long will it take before you forget about having made them? Chances are high that during the next upgrade you won't remember or overlook it. So if you then rely on the rc script to handle this for you and you continue to do so in the new upgraded environment you could run into nasty problems.

(edit: that was a very bad comment on my end; overlooked mentioning of /etc/rc.conf, which is of course perfectly ok to edit).

A possible issue is ignoring the reason why this change was made in the first place.

Besides, all it takes is one commandline parameter to ssh-keygen.

pkubaj · Feb 25, 2017

ShelLuser said:
That is very bad advice.

The main problem is editing system files; the moment you upgrade your system then those changes are most likely getting wiped out. One could argue that you can redo those changes later but the problem is this: how long will it take before you forget about having made them? Chances are high that during the next upgrade you won't remember or overlook it. So if you then rely on the rc script to handle this for you and you continue to do so in the new upgraded environment you could run into nasty problems.

Another issue is ignoring the reason why this change was made in the first place.

Besides, all it takes is one commandline parameter to ssh-keygen.

But /etc/rc.conf isn't overwritter on upgrades.

ShelLuser · Feb 25, 2017

pkubaj said:
But /etc/rc.conf isn't overwritter on upgrades.

You're right; sorry about that. That was a very bad comment on my end

I overlooked you mentioning /etc/rc.conf and somehow mistakenly picked it up as if you hinted at editing /etc/rc.d/sshd which would be a bad idea.

Sorry for the possible confusion.

HL1234 · Feb 27, 2017

Hello,
thank you all for give me that update. I'' will keep in mind the advice about DSA.