[PATCH 1/2] OpenSSH: No longer try to load the RSA key

[PATCH 1/2] OpenSSH: No longer try to load the RSA key

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 728 bytes --]

This key has been removed on new installations.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/ssh/sshd_config | 1 -
 1 file changed, 1 deletion(-)

diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
index e338f8cef..09d771b9a 100644
--- a/config/ssh/sshd_config
+++ b/config/ssh/sshd_config
@@ -27,7 +27,6 @@ MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-128-etm(a)op
 # Only allow cryptographically safe SSH host keys (adjust paths if needed)
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_rsa_key
 
 # Only allow login via public key by default
 PubkeyAuthentication yes
-- 
2.39.5

[PATCH 2/2] core190: Load SSH RSA key on legacy systems

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 807 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/rootfiles/core/190/update.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/config/rootfiles/core/190/update.sh b/config/rootfiles/core/190/update.sh
index 16ef608e2..3950ba903 100644
--- a/config/rootfiles/core/190/update.sh
+++ b/config/rootfiles/core/190/update.sh
@@ -104,6 +104,14 @@ ldconfig
 # Filesytem cleanup
 /usr/local/bin/filesystem-cleanup
 
+# Load the RSA key on systems that still have one
+if [ -e "/etc/ssh/ssh_host_rsa_key" ]; then
+	(
+		echo "# Load the legacy RSA key - Deprecated in Core Update 190"
+		echo "HostKey /etc/ssh/ssh_host_rsa_key"
+	) > /etc/ssh/sshd_config.d/rsa.conf
+fi
+
 # Apply local configuration to sshd_config
 /usr/local/bin/sshctrl
 
-- 
2.39.5