Enforce sshd key algorithm

Question

In ssh_config I have the HostKeyAlgorithms parameter where I can enforce the use of DSS algorithm for the key, like:

HostKeyAlgorithms "ssh-dss"

How can I do this in sshd_config (daemon config) in order to enforce that all connections incoming should use the ssh-dss instead of ssh-rsa ?

I'm curious - why would you want to require the use of DSA (instead of say RSA or other options)? — Ram, Jul 14 '12 at 23:11

score 2 · Accepted Answer · answered Aug 09 '11 at 17:16

2

remove

HostKey /etc/ssh/ssh_host_rsa_key

from sshd_config.

I have to note that using 1024 bit keys with either RSA or DSA is no longer considered secure and standard DSA limits key size to 1024 bits (though OpenSSH can generate DSA keys up to 2048bits)

answered Aug 09 '11 at 17:16

Hubert Kario

6,351
6
33
65

score 0 · Answer 2 · answered Nov 13 '17 at 15:41

0

"OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use."

Source : https://www.openssh.com/legacy.html

answered Nov 13 '17 at 15:41

bgtvfr

1,224
10
19

Enforce sshd key algorithm

2 Answers2