|
     |
Add the ECDSA host-key algorithms (remove any key sizes you do not wish to allow) within the
<connection> section of your
ssh-server-config.xml:
<hostkey-algorithm name="ecdsa-sha2-nistp256" /> <hostkey-algorithm name="ecdsa-sha2-nistp384" /> <hostkey-algorithm name="ecdsa-sha2-nistp521" /> <hostkey-algorithm name="ssh-dss" /> <hostkey-algorithm name="ssh-rsa" /> <hostkey-algorithm name="ssh-dss-sha256@ssh.com" /> <hostkey-algorithm name="ssh-rsa-sha256@ssh.com" /> <hostkey-algorithm name="x509v3-sign-dss" /> <hostkey-algorithm name="x509v3-sign-rsa" /> <hostkey-algorithm name="x509v3-sign-dss-sha256@ssh.com" /> <hostkey-algorithm name="x509v3-sign-rsa-sha256@ssh.com" />
![[Note]](images/note.gif) | Note |
|---|---|
To enable ECDSA host keys for X.509, add also the following
|
Once the configuration has been amended to use the ECDSA host-key algorithms you can create the ECDSA host key.
Create the ECDSA host key using ssh-keygen-g3. For more information on ssh-keygen-g3, refer to the Tectia Server Administrator Manual.
| Note |
|---|---|
You must ensure your SSH client can accept an ECDSA host key. |
The following command will add an ECDSA host key to your SSH Server. By default, a
256-bit key is generated. (The -b option can be used to define the size
of the key.)
Using ssh-keygen-g3 with –t (type),
–H (host key) and –P (no passphrase):
[root@host ~]# ssh-keygen-g3 -t ecdsa -H -P Generating 256 bits ECDSA key on nistp256 curve Key generated. 256-bit ecdsa, root@host.example.com, Wed Aug 26 2015 10:00:00 +0100 Private key saved to /etc/ssh2/hostkey Public key saved to /etc/ssh2/hostkey.pub
After you have made the changes, you must stop and start the server to take the new configuration into use:
# /etc/init.d/ssh-server-g3 stop # /etc/init.d/ssh-server-g3 start
| |
Copyright 
2015 SSH Communications Security Corporation
This software is protected by international copyright laws. All rights reserved.
Contact Information