Bug 533339

Summary: Make RSA1/DSA key generation optional
Product: [Fedora] Fedora Reporter: Daniel Drake <dsd>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 12CC: jchadima, mgrepl, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-26 23:21:53 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Daniel Drake 2009-11-06 03:04:42 EST
On systems with slow processors (e.g. OLPC XO-1), initial boot time is quite heavily affected by the slow ssh key generation process.

Could we add an /etc/sysconfig/ssh setting that can control which key types are generated on first boot? Right now it is unconditionally RSA1, DSA, RSA, and we would like to eliminate the RSA1 key generation (who uses that these days!?) to save a few seconds of firstboot time.
Comment 1 Daniel Drake 2009-11-06 03:06:31 EST
actually, we'd like to eliminate DSA key generation too, just leaving RSA2.
Comment 2 Tomas Mraz 2009-11-06 03:51:01 EST
Just set AUTOCREATE_SERVER_KEYS=NO in the /etc/sysconfig/ssh and create the RSA key manually in the kickstart.
Comment 3 Daniel Drake 2009-11-06 04:10:48 EST
That would result in every XO having the same RSA key.
Comment 4 Tomas Mraz 2009-11-06 04:47:13 EST
No, you would use the %post installation script in the kickstart to call the ssh-keygen to generate the key on the machine. Or if you distribute already preinstalled images you can generate the key directly in the /etc/sysconfig/ssh file - it is run by shell so you can call anything there.
Comment 5 Daniel Drake 2009-11-06 04:55:18 EST
Could do, although seems a bit ugly. Is there no possibility of getting this added in a more official capacity?
Comment 6 Tomas Mraz 2009-11-06 05:34:42 EST
Well maybe the AUTOCREATE_SERVER_KEYS=RSAONLY might be done to be recognized by the init script.
Comment 7 Bug Zapper 2009-11-16 10:12:37 EST
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
Comment 8 Daniel Drake 2010-08-26 23:21:53 EDT
Thank you. I see this is fixed in F14 with AUTOCREATE_SERVER_KEYS=RSAONLY