[current] openssh 5.7

ponce · 01-27-2011, 01:37 PM

today I upgraded to openssh-5.7 in -current.
I started the daemon and I got a warning, but the daemon ran

Code:

# /etc/rc.d/rc.sshd start
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
# ps aux | grep sshd | grep -v grep
root      9834  0.0  0.0  27308  1180 ?        Ss   20:03   0:00 /usr/sbin/sshd

so I had a look at the release notes and discovered that ECDSA is the new preferred key algorithm when connecting to hosts (it's tried first if no host key is found in ~/.ssh/known_hosts).

so I decided to give it a shot

I added a section to /etc/rc.d/rc.sshd

Code:

--- rc.sshd.orig        2011-01-27 19:48:20.332999994 +0100
+++ rc.sshd     2011-01-27 19:47:26.365999972 +0100
@@ -12,6 +12,9 @@
   if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
     /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
   fi
+  if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then
+    /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
+  fi
   /usr/sbin/sshd
 }

and

Code:

/etc/rc.d/rc.sshd restart

on my client, I removed the previous rsa key from my ~/.ssh/known_hosts file (because if ssh finds it, it doesn't try to fetch the ecdsa key), and connected to the new sshd

Code:

The authenticity of host '[henry.rollins.com]:4965 ([254.254.254.254]:4965)' can't be established.
ECDSA key fingerprint is 6f:b7:f0:46:c5:7b:fe:93:a8:95:bb:59:1c:2e:85:20.
Are you sure you want to continue connecting (yes/no)?

here is a short discussion on the topic: they suggest, like in the release notes, to collect the new host keys with ssh-keyscan, and this should avoid the need to edit the known_hosts file.

-WARNING-
the only problem is that while openssh people decided to set ECDSA as default I'm not really sure if it's considered mature enough by Pat and that can be the reason why it hasn't been added to the default config.
so try it at your own risk!

dive · 01-31-2011, 09:25 AM

Thanks Ponce, that's handy to know.

willysr · 01-31-2011, 09:34 AM

it's already fixed in the latest -Current update

samoak · 02-11-2011, 12:49 AM

Downloaded ssh sources: openssh-5.8p1.tar.gz

I did the following to get rid of the "said" error.

1> In file Makefile.in removed following 2 line conditional code and executed configure script.
==
if [ -z "@COMMENT_OUT_ECC@" ] ; then \
...
fi ; \
==

It gave me following:
==
if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \
echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \
else \
./ssh-keygen -t ecdsa -f $(sysconfdir)/ssh_host_ecdsa_key -N "" ; \
fi ; \
==

2> Additionally, removed following line:
==
test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""
==

3> Executed configure script. It gave me a Makefile of my need with ecdsa enabled.

Unfortunately, I couldn't find any option in "configure" script to turn ON/OFF the ecdsa related changes in the Makefile. Please correct me if I failed to find such an option to "configure" script.

regards,
- sameer oak

ponce · 02-11-2011, 01:05 AM

sorry if I haven't explained it clearly, but there was no error: ECDSA has been chosen as default key exchange algorithm by the openssh people, is correctly enabled in their build script and building produces binaries with ECDSA support.

I think Pat opted to follow their choices for defaults because he just adapted the rc.sshd script in -current to generate the ECDSA key if it's missing.

If you don't want to use ECDSA for connections to your host, you simply have to avoid generating the related key (revert the rc.sshd changes above and, if already generated, delete the ECDSA key in /etc/ssh/).