CVS commit: [netbsd-10] src/etc/rc.d

["Martin Husemann" <martin%netbsd.org@localhost>]

Module Name:    src
Committed By:   martin
Date:           Wed Jun 21 15:16:17 UTC 2023

Modified Files:
        src/etc/rc.d [netbsd-10]: sshd

Log Message:
Pull up following revision(s) (requested by kim in ticket #196):

        etc/rc.d/sshd: revision 1.33
        etc/rc.d/sshd: revision 1.34
        etc/rc.d/sshd: revision 1.35
        etc/rc.d/sshd: revision 1.36

/etc/rc.d/sshd: New check cmd and reload precmd.

- check cmd: run `sshd -t' to check sshd_config file

- reload precmd: run check cmd before reloading so we don't nuke sshd
  if there's an error in the sshd_config file

(It is still possible to effectively nuke sshd by changing the
configuration tosomething that won't work on your network, but at
least we avoid making sshd just exit on reload when you make a typo
in a config option.)

/etc/rc.d/sshd: Stop generating DSA host keys by default.

If you want them you can generate them yourself, but in this day and
age (Monday and 2023, specifically) there's no reason to be using DSA
except for compatibility with ancient legacy software.

/etc/rc.d/sshd: Use default curve for ECDSA keygen, not NIST P-521.

The default is NIST P-256, which:
(a) has plenty of cryptanalytic security,
(b) performs better on essentially all platforms (smaller enough that
    even the advantage of the Mersenne prime structure of P-521 can't
    compete), and
(c) likely gets more scrutiny on implementations than P-521 since it's
    more widespread.

Add some backwards compat.  Adjust grammar.


To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.32.2.1 src/etc/rc.d/sshd

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.