SSH Host Key generation

[Erich]

Hi,
I've got several FreeNAS boxes, which I'd like to access via ssh. Both user and host keys are supposed to be 4096 bits long and of type RSA. On user key side all is fine. Host keys are generated by FreeNAS magic upon setup and Services/SSH/Settings changes. And they are only 2048 bits of length.

So I started to dig a bit and of course the rc-script can be modified to generate long RSA keys, if I insert -b 4096 into the right line. Once the old key is removed (by hand) and the rc-script is run ( service openssh restart), a new key pair is in place. That's all good, but it only lasts until I touch the GUI ssh-wise. Then a different mechanism wipes my long keys and puts short ones back in place.

Can anybody please tell me what's going on here? I think best solution would be to put a new default RSA host key length setting into some GUI element. Unfortunately I wasn't able to find such option in the openssh docs/manuals. The only extra option I put into GUI form is HostKey /usr/local/etc/ssh/ssh_host_rsa_key to convince openssh to only use RSA host keys.

 

[Chris Moore]

Why did you change it from the default?

Sent from my SAMSUNG-SGH-I537 using Tapatalk

 

[Erich]

Hi Chris,
to have them 4096 bits long instead of only 2048.

Do you know a place to set 4096 as default in GUI?

 

[dlavigne]

Hi Chris,
to have them 4096 bits long instead of only 2048.

Do you know a place to set 4096 as default in GUI?

ATM there isn't one. If you decide to make a feature request at bugs.freenas.org, post the issue number here.

 

[Erich]

Okay. It's no problem to not have GUI elements. Command line is just fine. As I pointed out earlier, if I create new host keys and restart opensshd, the new keys are being used. That's good. I also found the place to let the keys being created by rc-script upon call. Also good. For this, I only need to remember this "fix" to reapply after an upgrade, assumung it would be overwritten by an upgrade.

The problem is, though, that once I touch an ssh-related GUI ('Services'), the old 2048 keys reappear w/ current timestamp. Where to they come from? Why are they stored in (at least two) different places? Why aren't the newly created ones stored in this hidden stash, too?

Can you please shine some light onto this inner workings? That'll be great. Thank you.

 

[danb35]

Can you please shine some light onto this inner workings?

Most of the configuration of the system is stored in the configuration database (which is an SQLite database stored at /data/freenas-v1.db), and the middleware regenerates the relevant config files when changes are made. If you were sufficiently motivated, you could probably find the place in the database where the key is, insert your longer key instead, and go from there. But make sure you have a backup; I take no responsibility if you bork your system this way.