ConfD User Community

Confd.conf <serverHostKey>: ssh-ecdsa and ssh-rsa

Hi,

ECDSA SSH keys are a best practice (rather than RSA keys).

In confd.conf, <serverHostKey>ssh-rsa<serverHostKey> is working fine.
If I change it to <serverHostKey>ssh-ecdsa<serverHostKey>, then I get the following error:
“Internal error: Startup failed; probably due to incorrect installation\n”

  1. Does ConfD support “ssh-ecdsa” ? Is the name(“ssh-ecdsa”) correct ?
  2. If ConfD supports “ssh-ecsda”, how to provide support for both “ssh-rsa” and “ssh-ecdsa” in my cond.conf ?

Small snapshot of my confd.conf:
<ssh>
<algorithms>
<serverHostKey>ssh-rsa</serverHostKey>
<kex>curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1</kex>
</algorithms>
</ssh>

Thanks a lot for your support.

Cheers,
Kanthi

The supported algorithms are listed in the confd.conf(5) manual page (also in the confd_cfg.yang module that is the data model for confd.conf) - note that your /confdConfig/ssh/algorithms/kex specifies multiple unsupported algorithms. From the 7.2.0.1 version of the man page:

   /confdConfig/ssh/algorithms/serverHostKey (string) []
        The supported serverHostKey algorithms (if implemented in
        libcrypto) are 'ssh-dss' and 'ssh-rsa', but for any SSH server, it
        is limited to those algorithms for which there is a host key
        installed in the directory given by
        /confdConfig/aaa/sshServerKeyDir.
    /confdConfig/ssh/algorithms/kex (string) []
       The supported key exchange algorithms (as long as their hash
        functions are implemented in libcrypto) are
        'diffie-hellman-group-exchange-sha256',
        'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1'
        and 'diffie-hellman-group1-sha1'.

Version 7.2.1 adds diffie-hellman-group18-sha512’ and ‘diffie-hellman-group14-sha256’ for /confdConfig/ssh/algorithms/kex - you need to consult the documentation for your version of ConfD.

Thanks Per for the response.

We are running on ConfD Basic version 6.3.
Looks from your reply that ConfD 7.2.0.1 supports only “ssh-dss” and “ssh-rsa”. There is no mention of “ssh-ecdsa”. Does that mean “ssh-ecdsa” is not supported ?

Thanks,
Kanthi

Yes, you can in general conclude that if the documentation says “supported foos are x and y”, this means that other foos than x and y are not supported.