Bug 533339 - Make RSA1/DSA key generation optional
Make RSA1/DSA key generation optional
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Jan F. Chadima
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-11-06 03:04 EST by Daniel Drake
Modified: 2010-08-26 23:21 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-08-26 23:21:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Daniel Drake 2009-11-06 03:04:42 EST
On systems with slow processors (e.g. OLPC XO-1), initial boot time is quite heavily affected by the slow ssh key generation process.

Could we add an /etc/sysconfig/ssh setting that can control which key types are generated on first boot? Right now it is unconditionally RSA1, DSA, RSA, and we would like to eliminate the RSA1 key generation (who uses that these days!?) to save a few seconds of firstboot time.
Comment 1 Daniel Drake 2009-11-06 03:06:31 EST
actually, we'd like to eliminate DSA key generation too, just leaving RSA2.
Comment 2 Tomas Mraz 2009-11-06 03:51:01 EST
Just set AUTOCREATE_SERVER_KEYS=NO in the /etc/sysconfig/ssh and create the RSA key manually in the kickstart.
Comment 3 Daniel Drake 2009-11-06 04:10:48 EST
That would result in every XO having the same RSA key.
Comment 4 Tomas Mraz 2009-11-06 04:47:13 EST
No, you would use the %post installation script in the kickstart to call the ssh-keygen to generate the key on the machine. Or if you distribute already preinstalled images you can generate the key directly in the /etc/sysconfig/ssh file - it is run by shell so you can call anything there.
Comment 5 Daniel Drake 2009-11-06 04:55:18 EST
Could do, although seems a bit ugly. Is there no possibility of getting this added in a more official capacity?
Comment 6 Tomas Mraz 2009-11-06 05:34:42 EST
Well maybe the AUTOCREATE_SERVER_KEYS=RSAONLY might be done to be recognized by the init script.
Comment 7 Bug Zapper 2009-11-16 10:12:37 EST
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
Comment 8 Daniel Drake 2010-08-26 23:21:53 EDT
Thank you. I see this is fixed in F14 with AUTOCREATE_SERVER_KEYS=RSAONLY

Note You need to log in before you can comment on or make changes to this bug.