Red Hat Bugzilla – Bug 533339
Make RSA1/DSA key generation optional
Last modified: 2010-08-26 23:21:53 EDT
On systems with slow processors (e.g. OLPC XO-1), initial boot time is quite heavily affected by the slow ssh key generation process.
Could we add an /etc/sysconfig/ssh setting that can control which key types are generated on first boot? Right now it is unconditionally RSA1, DSA, RSA, and we would like to eliminate the RSA1 key generation (who uses that these days!?) to save a few seconds of firstboot time.
actually, we'd like to eliminate DSA key generation too, just leaving RSA2.
Just set AUTOCREATE_SERVER_KEYS=NO in the /etc/sysconfig/ssh and create the RSA key manually in the kickstart.
That would result in every XO having the same RSA key.
No, you would use the %post installation script in the kickstart to call the ssh-keygen to generate the key on the machine. Or if you distribute already preinstalled images you can generate the key directly in the /etc/sysconfig/ssh file - it is run by shell so you can call anything there.
Could do, although seems a bit ugly. Is there no possibility of getting this added in a more official capacity?
Well maybe the AUTOCREATE_SERVER_KEYS=RSAONLY might be done to be recognized by the init script.
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.
More information and reason for this action is here:
Thank you. I see this is fixed in F14 with AUTOCREATE_SERVER_KEYS=RSAONLY