[1/5] sshd: Do not generate new RSA host key on first boot

Message ID 20240920142022.589371-1-peter.mueller@ipfire.org
State Staged
Commit bc0fdeae6f926f9924018d32fa67cd4795a2acaf
Headers
Series [1/5] sshd: Do not generate new RSA host key on first boot |

Commit Message

Peter Müller Sept. 20, 2024, 2:20 p.m. UTC
  This patch will also ensure the maximum supported key length
is used for ECDSA. Existing installations will remain unaffected.

Note that the key size for ED25519 is fixed, and explicitly
setting it to 521 bytes will not have any impact.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 src/initscripts/system/sshd | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
  

Patch

diff --git a/src/initscripts/system/sshd b/src/initscripts/system/sshd
index fa40bc11d..e5a9931af 100644
--- a/src/initscripts/system/sshd
+++ b/src/initscripts/system/sshd
@@ -2,7 +2,7 @@ 
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,14 +24,14 @@ 
 
 case "$1" in
     start)
-	for algo in rsa ecdsa ed25519; do
+	for algo in ecdsa ed25519; do
 		keyfile="/etc/ssh/ssh_host_${algo}_key"
 
 		# If the key already exists, there is nothing to do.
 		[ -e "${keyfile}" ] && continue
 
 		boot_mesg "Generating SSH key (${algo})..."
-		ssh-keygen -qf "${keyfile}" -N '' -t ${algo}
+		ssh-keygen -qf "${keyfile}" -N '' -b 521 -t ${algo}
 		evaluate_retval
 	done