Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-9]: src/etc/rc.d Pull up following revision(s) (requested by kim ...
details: https://anonhg.NetBSD.org/src/rev/bc69f8e4b9a5
branches: netbsd-9
changeset: 376508:bc69f8e4b9a5
user: martin <martin%NetBSD.org@localhost>
date: Wed Jun 21 16:06:14 2023 +0000
description:
Pull up following revision(s) (requested by kim in ticket #1643):
etc/rc.d/sshd: revision 1.30
etc/rc.d/sshd: revision 1.33
etc/rc.d/sshd: revision 1.34
etc/rc.d/sshd: revision 1.35
simplify more (from rudolf)
/etc/rc.d/sshd: New check cmd and reload precmd.
- check cmd: run `sshd -t' to check sshd_config file
- reload precmd: run check cmd before reloading so we don't nuke sshd
if there's an error in the sshd_config file
(It is still possible to effectively nuke sshd by changing the
configuration tosomething that won't work on your network, but at
least we avoid making sshd just exit on reload when you make a typo
in a config option.)
/etc/rc.d/sshd: Stop generating DSA host keys by default.
If you want them you can generate them yourself, but in this day and
age (Monday and 2023, specifically) there's no reason to be using DSA
except for compatibility with ancient legacy software.
/etc/rc.d/sshd: Use default curve for ECDSA keygen, not NIST P-521.
The default is NIST P-256, which:
(a) has plenty of cryptanalytic security,
(b) performs better on essentially all platforms (smaller enough that
even the advantage of the Mersenne prime structure of P-521 can't
compete), and
(c) likely gets more scrutiny on implementations than P-521 since it's
more widespread.
diffstat:
etc/rc.d/sshd | 25 ++++++++++++++++++-------
1 files changed, 18 insertions(+), 7 deletions(-)
diffs (62 lines):
diff -r ce3b74bd94bc -r bc69f8e4b9a5 etc/rc.d/sshd
--- a/etc/rc.d/sshd Thu Jun 08 11:18:12 2023 +0000
+++ b/etc/rc.d/sshd Wed Jun 21 16:06:14 2023 +0000
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# $NetBSD: sshd,v 1.29 2018/05/26 19:18:11 riastradh Exp $
+# $NetBSD: sshd,v 1.29.4.1 2023/06/21 16:06:14 martin Exp $
#
# PROVIDE: sshd
@@ -13,14 +13,14 @@ rcvar=$name
command="/usr/sbin/${name}"
pidfile="/var/run/${name}.pid"
required_files="/etc/ssh/sshd_config"
-extra_commands="keygen reload"
+extra_commands="check keygen reload"
sshd_keygen()
{
(
keygen="/usr/bin/ssh-keygen"
umask 022
- while read type bits filename version name; do
+ while read type bits filename; do
f="/etc/ssh/$filename"
if [ -f "$f" ]; then
continue
@@ -33,10 +33,9 @@ sshd_keygen()
"${keygen}" -t "${type}" ${bitarg} -f "${f}" -N '' -q && \
printf "ssh-keygen: " && "${keygen}" -f "${f}" -l
done << _EOF
-dsa 1024 ssh_host_dsa_key 2 DSA
-ecdsa 521 ssh_host_ecdsa_key 1 ECDSA
-ed25519 -1 ssh_host_ed25519_key 1 ED25519
-rsa 0 ssh_host_rsa_key 2 RSA
+ecdsa -1 ssh_host_ecdsa_key
+ed25519 -1 ssh_host_ed25519_key
+rsa 0 ssh_host_rsa_key
_EOF
)
}
@@ -46,7 +45,19 @@ sshd_precmd()
run_rc_command keygen
}
+sshd_check()
+{
+ sshd -t
+}
+
+sshd_reload_precmd()
+{
+ run_rc_command check
+}
+
+check_cmd=sshd_check
keygen_cmd=sshd_keygen
+reload_precmd=sshd_reload_precmd
start_precmd=sshd_precmd
load_rc_config $name
Home |
Main Index |
Thread Index |
Old Index