Generate SSH1 host key by default?
Corinna Vinschen
vinschen at redhat.com
Tue Feb 1 19:56:25 EST 2011
On Jan 31 23:05, Darren Tucker wrote:
> On 31/01/2011 9:54 PM, Corinna Vinschen wrote:
> >the OpenSSH installation script for Cygwin still creates a SSH1 host key
> >by default.
> >
> >My question is, wouldn't it make more sense to drop all auto-generation
> >of SSH1 keys from the default installation procedure? I mean, nobody
> >should use SSH1 anymore, right? Or should the script stick to it for
> >some reason?
>
> Although the server now defaults to not enabling SSH1 for new
> installs (and has for a couple of releases) the client could
> conceivably need an SSH1 key, eg for RhostsRSAAuthentication. The
> admin could also enable Protocol 1 in the server (although it might
> be reasonable to give them the responsibility of creating the key in
> that case).
Ok, so I keep the SSH1 keys generation in. Would you mind to apply
the below patch? It adds ECDSA key generation for host and user and
simplifies the ssh-user-config script.
Thanks,
Corinna
Index: contrib/cygwin//ssh-host-config
===================================================================
RCS file: /cvs/openssh/contrib/cygwin/ssh-host-config,v
retrieving revision 1.29
diff -u -p -r1.29 ssh-host-config
--- contrib/cygwin//ssh-host-config 24 Mar 2010 02:03:32 -0000 1.29
+++ contrib/cygwin//ssh-host-config 1 Feb 2011 08:55:59 -0000
@@ -63,6 +63,12 @@ create_host_keys() {
csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi
+
+ if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ]
+ then
+ csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key"
+ ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null
+ fi
} # --- End of create_host_keys --- #
# ======================================================================
Index: contrib/cygwin//ssh-user-config
===================================================================
RCS file: /cvs/openssh/contrib/cygwin/ssh-user-config,v
retrieving revision 1.7
diff -u -p -r1.7 ssh-user-config
--- contrib/cygwin//ssh-user-config 29 Jul 2009 14:21:13 -0000 1.7
+++ contrib/cygwin//ssh-user-config 1 Feb 2011 08:55:59 -0000
@@ -39,85 +39,34 @@ pwdhome=
with_passphrase=
# ======================================================================
-# Routine: create_ssh1_identity
-# optionally create ~/.ssh/identity[.pub]
+# Routine: create_identity
+# optionally create identity of type argument in ~/.ssh
# optionally add result to ~/.ssh/authorized_keys
# ======================================================================
-create_ssh1_identity() {
- if [ ! -f "${pwdhome}/.ssh/identity" ]
+create_identity() {
+ local file="$1"
+ local type="$2"
+ local name="$3"
+ if [ ! -f "${pwdhome}/.ssh/${file}" ]
then
- if csih_request "Shall I create an SSH1 RSA identity file for you?"
+ if csih_request "Shall I create a ${name} identity file for you?"
then
- csih_inform "Generating ${pwdhome}/.ssh/identity"
+ csih_inform "Generating ${pwdhome}/.ssh/${file}"
if [ "${with_passphrase}" = "yes" ]
then
- ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null
+ ssh-keygen -t "${type}" -N "${passphrase}" -f "${pwdhome}/.ssh/${file}" > /dev/null
else
- ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null
+ ssh-keygen -t "${type}" -f "${pwdhome}/.ssh/${file}" > /dev/null
fi
if csih_request "Do you want to use this identity to login to this machine?"
then
csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
- cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys"
+ cat "${pwdhome}/.ssh/${file}.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
} # === End of create_ssh1_identity() === #
-readonly -f create_ssh1_identity
-
-# ======================================================================
-# Routine: create_ssh2_rsa_identity
-# optionally create ~/.ssh/id_rsa[.pub]
-# optionally add result to ~/.ssh/authorized_keys
-# ======================================================================
-create_ssh2_rsa_identity() {
- if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
- then
- if csih_request "Shall I create an SSH2 RSA identity file for you?"
- then
- csih_inform "Generating ${pwdhome}/.ssh/id_rsa"
- if [ "${with_passphrase}" = "yes" ]
- then
- ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null
- else
- ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null
- fi
- if csih_request "Do you want to use this identity to login to this machine?"
- then
- csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
- cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
- fi
- fi
- fi
-} # === End of create_ssh2_rsa_identity() === #
-readonly -f create_ssh2_rsa_identity
-
-# ======================================================================
-# Routine: create_ssh2_dsa_identity
-# optionally create ~/.ssh/id_dsa[.pub]
-# optionally add result to ~/.ssh/authorized_keys
-# ======================================================================
-create_ssh2_dsa_identity() {
- if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
- then
- if csih_request "Shall I create an SSH2 DSA identity file for you?"
- then
- csih_inform "Generating ${pwdhome}/.ssh/id_dsa"
- if [ "${with_passphrase}" = "yes" ]
- then
- ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null
- else
- ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null
- fi
- if csih_request "Do you want to use this identity to login to this machine?"
- then
- csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
- cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
- fi
- fi
- fi
-} # === End of create_ssh2_dsa_identity() === #
-readonly -f create_ssh2_dsa_identity
+readonly -f create_identity
# ======================================================================
# Routine: check_user_homedir
@@ -311,9 +260,10 @@ fi
check_user_homedir
check_user_dot_ssh_dir
-create_ssh1_identity
-create_ssh2_rsa_identity
-create_ssh2_dsa_identity
+create_identity id_rsa rsa "SSH2 RSA"
+create_identity id_dsa dsa "SSH2 DSA"
+create_identity id_ecdsa ecdsa "SSH2 ECDSA"
+create_identity identity rsa1 "(deprecated) SSH1 RSA"
fix_authorized_keys_perms
echo
--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat
More information about the openssh-unix-dev
mailing list