4

I have a Debian Jessie Server and I would like to verify the fingerprint of the ssh keys on the server about a DNS SSHFP record. This works fine, but if a client connect over ssh to the server, the server provide the ssh-ecdsa algorithm. I'd like to configure the ssh daemon that only ssh-ed25519 and ssh-rsa are the supported algorithms. For Ubuntu 16.04 I works with the ssh config key HostKeyAlgorithms but if I use this key on Debian, I can't start the daemon.

Why the daemon don't support this configure key or must I use an other configure key to support only ssh-ed25519 and ssh-rsa algorithms?

Here my sshd_config

AcceptEnv LANG LC_*
AuthorizedKeysFile  %h/.ssh/authorized_keys
ChallengeResponseAuthentication no
HostbasedAuthentication no
HostKey         /etc/ssh/ssh_host_rsa_key
HostKey         /etc/ssh/ssh_host_dsa_key
HostKey         /etc/ssh/ssh_host_ecdsa_key
HostKey         /etc/ssh/ssh_host_ed25519_key
#HostKeyAlgorithms  ssh-ed25519,ssh-rsa
KeyRegenerationInterval 3600
LoginGraceTime      120
LogLevel                INFO
MaxAuthTries        10
MaxSessions     5
PasswordAuthentication  no
PermitEmptyPasswords    no
PermitRootLogin     without-password
Port            22
PrintMotd               no
PrintLastLog        no
Protocol        2
RSAAuthentication   no
PubkeyAuthentication    yes
ServerKeyBits       4096
StrictModes     yes
SyslogFacility          AUTH
RhostsRSAAuthentication no
Subsystem       sftp /usr/lib/openssh/sftp-server
TCPKeepAlive        yes
UsePAM          no
UsePrivilegeSeparation  yes
Jakuje
  • 9,715
  • 2
  • 42
  • 45
Volker Raschek
  • 347
  • 1
  • 5
  • 17
  • What is the output of `sudo sshd -T`? This option might not be implemented in the *Debian* ... – Jakuje May 03 '17 at 17:37
  • I get an configuration output like this: port 22 protocol 2 addressfamily any listenaddress 0.0.0.0:22 listenaddress [::]:22 usepam 0 serverkeybits 4096 logingracetime 120 .. – Volker Raschek May 05 '17 at 15:35

1 Answers1

4

HostKeyAlgorithms is not implemented in OpenSSH 6.7p1, which is available in Debian Jessie.

I'd like to configure the ssh daemon that only ssh-ed25519 and ssh-rsa are the supported algorithms

If you remove the respective key from the configuration HostKey, it will not be offered by the server (the following lines):

HostKey         /etc/ssh/ssh_host_dsa_key
HostKey         /etc/ssh/ssh_host_ecdsa_key
Jakuje
  • 9,715
  • 2
  • 42
  • 45
  • I comment the keys ecdsa and dsa in. The Server provide now only rsa and ed25519, but now I can't verify the HostKeyFingerprints. This Question is a new Thread. – Volker Raschek May 05 '17 at 15:39