Confd.conf <serverHostKey>: ssh-ecdsa and ssh-rsa

General
1

Hi,

ECDSA SSH keys are a best practice (rather than RSA keys).

In confd.conf, <serverHostKey>ssh-rsa<serverHostKey> is working fine.
If I change it to <serverHostKey>ssh-ecdsa<serverHostKey>, then I get the following error:
“Internal error: Startup failed; probably due to incorrect installation\n”

  1. Does ConfD support “ssh-ecdsa” ? Is the name(“ssh-ecdsa”) correct ?
  2. If ConfD supports “ssh-ecsda”, how to provide support for both “ssh-rsa” and “ssh-ecdsa” in my cond.conf ?

Small snapshot of my confd.conf:
<ssh>
<algorithms>
<serverHostKey>ssh-rsa</serverHostKey>
<kex>curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1</kex>
</algorithms>
</ssh>

Thanks a lot for your support.

Cheers,
Kanthi

2

The supported algorithms are listed in the confd.conf(5) manual page (also in the confd_cfg.yang module that is the data model for confd.conf) - note that your /confdConfig/ssh/algorithms/kex specifies multiple unsupported algorithms. From the 7.2.0.1 version of the man page:

   /confdConfig/ssh/algorithms/serverHostKey (string) []
        The supported serverHostKey algorithms (if implemented in
        libcrypto) are 'ssh-dss' and 'ssh-rsa', but for any SSH server, it
        is limited to those algorithms for which there is a host key
        installed in the directory given by
        /confdConfig/aaa/sshServerKeyDir.

    /confdConfig/ssh/algorithms/kex (string) []
       The supported key exchange algorithms (as long as their hash
        functions are implemented in libcrypto) are
        'diffie-hellman-group-exchange-sha256',
        'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1'
        and 'diffie-hellman-group1-sha1'.

Version 7.2.1 adds diffie-hellman-group18-sha512’ and ‘diffie-hellman-group14-sha256’ for /confdConfig/ssh/algorithms/kex - you need to consult the documentation for your version of ConfD.

3

Thanks Per for the response.

We are running on ConfD Basic version 6.3.
Looks from your reply that ConfD 7.2.0.1 supports only “ssh-dss” and “ssh-rsa”. There is no mention of “ssh-ecdsa”. Does that mean “ssh-ecdsa” is not supported ?

Thanks,
Kanthi

4

Yes, you can in general conclude that if the documentation says “supported foos are x and y”, this means that other foos than x and y are not supported.