MacOS – Disable ECDSA SSH Host keys

encryptionmacosSecurityssh

I would like to disable ECDSA SSH host keys.

I deleted the existing keys:

$ sudo rm -f /etc/ssh/ssh_host_ecdsa_key*

I uncomment ECDSA in /etc/ssh/sshd_config

$ grep -i ecdsa /etc/ssh/sshd_config
#HostKey /etc/ssh/ssh_host_ecdsa_key

But when I restart sshd the keys are re-generated

$ sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
$ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
$ ls -l /etc/ssh/ssh_host_ecdsa_key*
-rw-------  1 root  wheel  480 Nov 16 14:57 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r--  1 root  wheel  162 Nov 16 14:57 /etc/ssh/ssh_host_ecdsa_key.pub

Ideally, the system would not employ weak elliptic curves as ecdsa-sha2-nistp256 at all going forward.

How can I prevent sshd to regenerate the ECDSA keys?

Best Answer

Maybe not the best solution but substituting the key with empty files seems to work:

cd /etc/ssh/
sudo rm ssh_host_ecdsa_key
sudo touch ssh_host_ecdsa_key
sudo rm ssh_host_ecdsa_key.pub
sudo touch ssh_host_ecdsa_key.pub

The key is invalid and not used, but is not corrected/regenerate when starting up

Related Solutions

MacOS – ECDSA ssh key on 10.8.2

The manpage describes the ability to generate ECC keys because the version of OpenSSH 5.9p1 (the version that comes with Mountain Lion) can potentially support ECC. However, the actual build of OpenSSH that came bundled with Mountain Lion appears to lack ECC support¹. The manpages are not modified when ECC support is not included in the compiled binaries.

If you want or need ECC support, you could use MacPorts (or probably Homebrew) to install a build of OpenSSH that does support ECC. You might run into some incompatibilities though:

the bundled ssh-agent (started automatically by launchd) will not be able to handle any ECC keys (you would have to start your own instance of the “custom”-built agent, or type your password each time you use an ECC key with the “custom”-built ssh), and
the “custom”-built tools will not have Apple’s patched-in Keychain integration.

¹ OpenSSH’s configure script does some checks to make sure that the available OpenSSL library is new enough and includes various bits of ECC functionality; the bundled version of OpenSSL seems to satisfy these requirements. I am not sure why the bundled version of OpenSSH was built without ECC support.

How to enable multiple sshd ports in Mountain Lion

Welp, I found the answer after a few more days of research, with the help of a response to this MacWorld post I thought there had to be some way to include multiple ports in the one .plist file, but I couldn't figure it out. You can add an "Alternate Listener" key to ssh.plist for the extra port inside the Sockets scope, such as:

 <key>Sockets</key>
 <dict>
         <key>Listeners</key>
         <dict>
            (...)
         </dict>
         <key>Alternate Listeners</key>
         <dict>
            <key>SockServiceName</key>
            <string>ssh-alt</string>
         </dict>
 </dict>

Notice the ssh-alt string for SockServiceName. The original "Listeners" key remains as is, so you have Listeners and Alternate Listeners. You have two entries in /etc/services for ssh and ssh-alt like:

ssh              22/udp
ssh              22/tcp
ssh-alt        4790/udp
ssh-alt        4790/tcp

which preserves the port 22 internal access and creates access via port 4790 for external use (assuming you disable port 22 and port forward port 4790 on your firewall/router.

Best Answer

Related Solutions

MacOS – ECDSA ssh key on 10.8.2

How to enable multiple sshd ports in Mountain Lion

Related Question