Module Name: src Committed By: martin Date: Wed Jun 21 15:16:17 UTC 2023
Modified Files: src/etc/rc.d [netbsd-10]: sshd Log Message: Pull up following revision(s) (requested by kim in ticket #196): etc/rc.d/sshd: revision 1.33 etc/rc.d/sshd: revision 1.34 etc/rc.d/sshd: revision 1.35 etc/rc.d/sshd: revision 1.36 /etc/rc.d/sshd: New check cmd and reload precmd. - check cmd: run `sshd -t' to check sshd_config file - reload precmd: run check cmd before reloading so we don't nuke sshd if there's an error in the sshd_config file (It is still possible to effectively nuke sshd by changing the configuration tosomething that won't work on your network, but at least we avoid making sshd just exit on reload when you make a typo in a config option.) /etc/rc.d/sshd: Stop generating DSA host keys by default. If you want them you can generate them yourself, but in this day and age (Monday and 2023, specifically) there's no reason to be using DSA except for compatibility with ancient legacy software. /etc/rc.d/sshd: Use default curve for ECDSA keygen, not NIST P-521. The default is NIST P-256, which: (a) has plenty of cryptanalytic security, (b) performs better on essentially all platforms (smaller enough that even the advantage of the Mersenne prime structure of P-521 can't compete), and (c) likely gets more scrutiny on implementations than P-521 since it's more widespread. Add some backwards compat. Adjust grammar. To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.32.2.1 src/etc/rc.d/sshd Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/etc/rc.d/sshd diff -u src/etc/rc.d/sshd:1.32 src/etc/rc.d/sshd:1.32.2.1 --- src/etc/rc.d/sshd:1.32 Sun May 15 11:47:42 2022 +++ src/etc/rc.d/sshd Wed Jun 21 15:16:17 2023 @@ -1,6 +1,6 @@ #!/bin/sh # -# $NetBSD: sshd,v 1.32 2022/05/15 11:47:42 martin Exp $ +# $NetBSD: sshd,v 1.32.2.1 2023/06/21 15:16:17 martin Exp $ # # PROVIDE: sshd @@ -13,7 +13,7 @@ rcvar=$name command="/usr/sbin/${name}" pidfile="/var/run/${name}.pid" required_files="/etc/ssh/sshd_config" -extra_commands="keygen keyregen reload" +extra_commands="check keygen keyregen reload" sshd_motd_unsafe_keys_warning() { @@ -26,13 +26,13 @@ sshd_motd_unsafe_keys_warning() -- UNSAFE KEYS WARNING: The ssh host keys on this machine have been generated with - not enough entropy configured, so may be predictable. + not enough entropy configured, so they may be predictable. To fix, follow the "Adding entropy" section in the entropy(7) - man page and after this machine has enough entropy, re-generate + man page. After this machine has enough entropy, re-generate the ssh host keys by running: - sh /etc/rc.d/sshd keyregen + /etc/rc.d/sshd keyregen _EOF fi cmp -s $T /etc/motd || cp $T /etc/motd @@ -61,13 +61,12 @@ sshd_keygen() printf "ssh-keygen: " && "${keygen}" -f "${f}" -l new_key_created=true done << _EOF -dsa 1024 ssh_host_dsa_key -ecdsa 521 ssh_host_ecdsa_key +ecdsa -1 ssh_host_ecdsa_key ed25519 -1 ssh_host_ed25519_key rsa 0 ssh_host_rsa_key _EOF if "${new_key_created}"; then - sshd_motd_unsafe_keys_warning + sysctl -q kern.entropy.needed && sshd_motd_unsafe_keys_warning fi ) } @@ -77,8 +76,20 @@ sshd_precmd() run_rc_command keygen } +sshd_check() +{ + sshd -t +} + +sshd_reload_precmd() +{ + run_rc_command check +} + +check_cmd=sshd_check keygen_cmd=sshd_keygen keyregen_cmd="sshd_keygen force" +reload_precmd=sshd_reload_precmd start_precmd=sshd_precmd load_rc_config $name