Index: etc/defaults/rc.conf =================================================================== --- etc/defaults/rc.conf (revision 286402) +++ etc/defaults/rc.conf (working copy) @@ -309,9 +309,24 @@ pppoed_provider="*" # Provider and ppp(8) config file entry. pppoed_flags="-P /var/run/pppoed.pid" # Flags to pppoed (if enabled). pppoed_interface="fxp0" # The interface that pppoed runs on. + sshd_enable="NO" # Enable sshd sshd_program="/usr/sbin/sshd" # path to sshd, if you want a different one. sshd_flags="" # Additional flags for sshd. +sshd_rsa1_keygen_enable="YES" # Generate RSA1 keys when starting sshd if missing from /etc/sshd. +sshd_rsa1_keygen_flags="" # Additional flags to ssh-keygen for RSA1 keys when first created. +#sshd_rsa1_keygen_flags="-b 4096" # Example of stronger key (default is 2048 bits). +sshd_rsa_keygen_enable="YES" # Generate RSA keys when starting sshd if missing from /etc/sshd. +sshd_rsa_keygen_flags="" # Additional flags to ssh-keygen for RSA keys when first created. +#sshd_rsa_keygen_flags="-b 4096" # Example of stronger key (default is 2048 bits). +sshd_dsa_keygen_enable="YES" # Generate DSA keys when starting sshd if missing from /etc/sshd. +sshd_dsa_keygen_flags="" # Additional flags to ssh-keygen for DSA 1024 bit keys when first created. +sshd_ecdsa_keygen_enable="YES" # Generate ECDSA keys when starting sshd if missing from /etc/sshd. +sshd_ecdsa_keygen_flags="" # Additional flags to ssh-keygen for ECDSA keys when first created. +#sshd_ecdsa_keygen_flags="-b 521" # Example of strongest ECDSA key (default is 256 bits). +sshd_ed25519_keygen_enable="YES" # Generate Ed25519 keys when starting sshd if missing from /etc/sshd. +sshd_ed25519_keygen_flags="" # Additional flags to ssh-keygen for Ed25519 256 bit keys when first created. + ftpd_enable="NO" # Enable stand-alone ftpd. ftpd_program="/usr/libexec/ftpd" # Path to ftpd, if you want a different one. ftpd_flags="" # Additional flags to stand-alone ftpd. Index: etc/rc.d/sshd =================================================================== --- etc/rc.d/sshd (revision 286402) +++ etc/rc.d/sshd (working copy) @@ -20,11 +20,19 @@ pidfile="/var/run/${name}.pid" extra_commands="configtest keygen reload" -: ${sshd_rsa1_enable:="yes"} -: ${sshd_rsa_enable:="yes"} -: ${sshd_dsa_enable:="yes"} -: ${sshd_ecdsa_enable:="yes"} -: ${sshd_ed25519_enable:="yes"} +if [ -n "$sshd_rsa1_enable" -o \ + -n "$sshd_rsa_enable" -o \ + -n "$sshd_dsa_enable" -o \ + -n "$sshd_ecdsa_enable" -o \ + -n "$sshd_ed25519_enable" ] +then + warn "sshd_*_enable is deprecated, consider using sshd_*_keygen_enable for clarity." +fi +: ${sshd_rsa1_keygen_enable:="${sshd_rsa1_enable:-yes}"} +: ${sshd_rsa_keygen_enable:="${sshd_rsa_enable:-yes}"} +: ${sshd_dsa_keygen_enable:="${sshd_dsa_enable:-yes}"} +: ${sshd_ecdsa_keygen_enable:="${sshd_ecdsa_enable:-yes}"} +: ${sshd_ed25519_keygen_enable:="${sshd_ed25519_enable:-yes}"} sshd_keygen_alg() { @@ -32,7 +40,7 @@ local ALG="$(echo $alg | tr a-z A-Z)" local keyfile - if ! checkyesno "sshd_${alg}_enable" ; then + if ! checkyesno "sshd_${alg}_keygen_enable" ; then return 0 fi @@ -56,8 +64,9 @@ if [ -f "${keyfile}" ] ; then info "$ALG host key exists." else + eval keygen_flags=\$sshd_${alg}_keygen_flags echo "Generating $ALG host key." - /usr/bin/ssh-keygen -q -t $alg -f "$keyfile" -N "" + /usr/bin/ssh-keygen -q -t $alg -f "$keyfile" $keygen_flags -N "" /usr/bin/ssh-keygen -l -f "$keyfile.pub" fi }