today I upgraded to openssh-5.7 in -current.
I started the daemon and I got a warning, but the daemon ran
Code:
# /etc/rc.d/rc.sshd start
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
# ps aux | grep sshd | grep -v grep
root 9834 0.0 0.0 27308 1180 ? Ss 20:03 0:00 /usr/sbin/sshd
so I had a look at the
release notes and discovered that ECDSA is the new preferred key algorithm when connecting to hosts (it's tried first if no host key is found in ~/.ssh/known_hosts).
so I decided to give it a shot
I added a section to /etc/rc.d/rc.sshd
Code:
--- rc.sshd.orig 2011-01-27 19:48:20.332999994 +0100
+++ rc.sshd 2011-01-27 19:47:26.365999972 +0100
@@ -12,6 +12,9 @@
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
/usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
fi
+ if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then
+ /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
+ fi
/usr/sbin/sshd
}
and
Code:
/etc/rc.d/rc.sshd restart
on my client, I removed the previous rsa key from my ~/.ssh/known_hosts file (because if ssh finds it, it doesn't try to fetch the ecdsa key), and connected to the new sshd
Code:
The authenticity of host '[henry.rollins.com]:4965 ([254.254.254.254]:4965)' can't be established.
ECDSA key fingerprint is 6f:b7:f0:46:c5:7b:fe:93:a8:95:bb:59:1c:2e:85:20.
Are you sure you want to continue connecting (yes/no)?
here is a short discussion on the topic: they suggest, like in the release notes, to collect the new host keys with ssh-keyscan, and this should avoid the need to edit the known_hosts file.
-WARNING-
the only problem is that while openssh people decided to set ECDSA as default I'm not really sure if it's considered mature enough by Pat and that can be the reason why it hasn't been added to the default config.
so try it at your own risk!