Index: etc/defaults/rc.conf
===================================================================
--- etc/defaults/rc.conf	(revision 286402)
+++ etc/defaults/rc.conf	(working copy)
@@ -309,9 +309,24 @@
 pppoed_provider="*"		# Provider and ppp(8) config file entry.
 pppoed_flags="-P /var/run/pppoed.pid"	# Flags to pppoed (if enabled).
 pppoed_interface="fxp0"		# The interface that pppoed runs on.
+
 sshd_enable="NO"		# Enable sshd
 sshd_program="/usr/sbin/sshd"	# path to sshd, if you want a different one.
 sshd_flags=""			# Additional flags for sshd.
+sshd_rsa1_keygen_enable="YES"	# Generate RSA1 keys when starting sshd if missing from /etc/sshd.
+sshd_rsa1_keygen_flags=""	# Additional flags to ssh-keygen for RSA1 keys when first created.
+#sshd_rsa1_keygen_flags="-b 4096" # Example of stronger key (default is 2048 bits).
+sshd_rsa_keygen_enable="YES"	# Generate RSA keys when starting sshd if missing from /etc/sshd.
+sshd_rsa_keygen_flags=""	# Additional flags to ssh-keygen for RSA keys when first created.
+#sshd_rsa_keygen_flags="-b 4096" # Example of stronger key (default is 2048 bits).
+sshd_dsa_keygen_enable="YES"	# Generate DSA keys when starting sshd if missing from /etc/sshd.
+sshd_dsa_keygen_flags=""	# Additional flags to ssh-keygen for DSA 1024 bit keys when first created.
+sshd_ecdsa_keygen_enable="YES"	# Generate ECDSA keys when starting sshd if missing from /etc/sshd. 
+sshd_ecdsa_keygen_flags=""	# Additional flags to ssh-keygen for ECDSA keys when first created.
+#sshd_ecdsa_keygen_flags="-b 521" # Example of strongest ECDSA key (default is 256 bits).
+sshd_ed25519_keygen_enable="YES" # Generate Ed25519 keys when starting sshd if missing from /etc/sshd.
+sshd_ed25519_keygen_flags=""	# Additional flags to ssh-keygen for Ed25519 256 bit keys when first created.
+
 ftpd_enable="NO"		# Enable stand-alone ftpd.
 ftpd_program="/usr/libexec/ftpd" # Path to ftpd, if you want a different one.
 ftpd_flags=""			# Additional flags to stand-alone ftpd.
Index: etc/rc.d/sshd
===================================================================
--- etc/rc.d/sshd	(revision 286402)
+++ etc/rc.d/sshd	(working copy)
@@ -20,11 +20,19 @@
 pidfile="/var/run/${name}.pid"
 extra_commands="configtest keygen reload"
 
-: ${sshd_rsa1_enable:="yes"}
-: ${sshd_rsa_enable:="yes"}
-: ${sshd_dsa_enable:="yes"}
-: ${sshd_ecdsa_enable:="yes"}
-: ${sshd_ed25519_enable:="yes"}
+if [ -n "$sshd_rsa1_enable" -o \
+	-n "$sshd_rsa_enable" -o \
+	-n "$sshd_dsa_enable" -o \
+	-n "$sshd_ecdsa_enable" -o \
+	-n "$sshd_ed25519_enable" ]
+then 
+	warn "sshd_*_enable is deprecated, consider using sshd_*_keygen_enable for clarity."
+fi
+: ${sshd_rsa1_keygen_enable:="${sshd_rsa1_enable:-yes}"}
+: ${sshd_rsa_keygen_enable:="${sshd_rsa_enable:-yes}"}
+: ${sshd_dsa_keygen_enable:="${sshd_dsa_enable:-yes}"}
+: ${sshd_ecdsa_keygen_enable:="${sshd_ecdsa_enable:-yes}"}
+: ${sshd_ed25519_keygen_enable:="${sshd_ed25519_enable:-yes}"}
 
 sshd_keygen_alg()
 {
@@ -32,7 +40,7 @@
 	local ALG="$(echo $alg | tr a-z A-Z)"
 	local keyfile
 
-	if ! checkyesno "sshd_${alg}_enable" ; then
+	if ! checkyesno "sshd_${alg}_keygen_enable" ; then
 		return 0
 	fi
 
@@ -56,8 +64,9 @@
 	if [ -f "${keyfile}" ] ; then
 		info "$ALG host key exists."
 	else
+		eval keygen_flags=\$sshd_${alg}_keygen_flags
 		echo "Generating $ALG host key."
-		/usr/bin/ssh-keygen -q -t $alg -f "$keyfile" -N ""
+		/usr/bin/ssh-keygen -q -t $alg -f "$keyfile" $keygen_flags -N ""
 		/usr/bin/ssh-keygen -l -f "$keyfile.pub"
 	fi
 }