From gnb@itga.com.au  Wed Jun 21 21:24:41 2000
Return-Path: <gnb@itga.com.au>
Received: from ns.itga.com.au (ns.itga.com.au [202.53.40.210])
	by hub.freebsd.org (Postfix) with ESMTP id B958F37C053
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 21 Jun 2000 21:24:37 -0700 (PDT)
	(envelope-from gnb@itga.com.au)
Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20])
	by ns.itga.com.au (8.9.3/8.9.3) with ESMTP id OAA82292
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 22 Jun 2000 14:24:33 +1000 (EST)
	(envelope-from gnb@itga.com.au)
Received: from hellcat.itga.com.au (hellcat.itga.com.au [192.168.71.163])
	by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id OAA29966;
	Thu, 22 Jun 2000 14:24:33 +1000 (EST)
Received: (from gnb@localhost)
	by hellcat.itga.com.au (8.9.3/8.9.3) id OAA00436;
	Thu, 22 Jun 2000 14:24:33 +1000 (EST)
	(envelope-from gnb@itga.com.au)
Message-Id: <200006220424.OAA00436@hellcat.itga.com.au>
Date: Thu, 22 Jun 2000 14:24:33 +1000 (EST)
From: Gregory Bond <gnb@itga.com.au>
To: FreeBSD-gnats-submit@freebsd.org
Subject: rc.network wants to generate unsupported DSA key for SSH
X-Send-Pr-Version: 3.2

>Number:         19431
>Category:       conf
>Synopsis:       rc.network wants to generate unsupported DSA key for SSH
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 21 21:30:00 PDT 2000
>Closed-Date:    Mon Jun 26 01:27:19 PDT 2000
>Last-Modified:  Mon Jun 26 01:27:55 PDT 2000
>Originator:     Gregory Bond
>Release:        FreeBSD 4.0-STABLE i386
>Organization:
ITG Australia Limited
>Environment:

4.0-Stable, CVSup'd with crypto from internat.FreeBSD.org

>Description:

If enable_sshd is set in rc.conf, then rc.network will check if the 
host keys are present, and create them if not.  It tries to create
two host keys, an ordinary one and a DSA one.

My ssh-keygen (build from a buildworld with the international 
crypto source but no other known tweaks) doesn't have the required 
-d option for generating DSA keys.  This makes the boot give 
somewhat odd error messages.

>How-To-Repeat:

make update && make world && reboot

>Fix:

I don't know whether this is a simple bug in rc.network (in which case
the fix is simple), or if DSA is supported in the US version but not the
international version (which seems more likely).  In the latter case,
rc.network needs to be more careful about what it attempts to do.  
Should it grep USA_RESIDENT out of make.conf?  This is ugly, but I can't 
think of anything less ugly!


>Release-Note:
>Audit-Trail:

From: David Malone <dwmalone@maths.tcd.ie>
To: Gregory Bond <gnb@itga.com.au>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: conf/19431: rc.network wants to generate unsupported DSA key for SSH
Date: Thu, 22 Jun 2000 06:59:32 +0100

 On Thu, Jun 22, 2000 at 02:24:33PM +1000, Gregory Bond wrote:
 
 > I don't know whether this is a simple bug in rc.network (in which case
 > the fix is simple), or if DSA is supported in the US version but not the
 > international version (which seems more likely).  In the latter case,
 > rc.network needs to be more careful about what it attempts to do.  
 > Should it grep USA_RESIDENT out of make.conf?  This is ugly, but I can't 
 > think of anything less ugly!
 
 I'm building from international crypto sources here, cvsuped indirectly
 from cvsup.uk.FreeBSD.org and it built a DSA key fine. "ssh-keygen -d"
 still seems to work too. Are you sure you have recent crypto sources?
 
 (DSA is actually more likely to be exported from the US than RSA. DSA
 is designed as a signature algorithm and was designed to be difficult
 to use for encryption. It is possible to use it for encryption tough,
 just not as easy as RSA).
 
 	David.
 

From: Gregory Bond <gnb@itga.com.au>
To: FreeBSD-gnats-submit@FreeBSD.ORG
Cc:  
Subject: Re: conf/19431: rc.network wants to generate unsupported DSA key for SSH 
Date: Mon, 26 Jun 2000 17:53:20 +1000

 Grrr.  Mea Culpa.
 
 Further investigation has shown that the problem was a stale CVS archive caused
 by the fact that cvsup.internat.freebsd.org has been uncontactable for the last
 few weeks.....  I've reset to cvsup.dk.freebsd.org and now have a version of
 ssh-keygen with the required -d option.
 
 This PR can be closed.
 
 
 
State-Changed-From-To: open->closed 
State-Changed-By: alex 
State-Changed-When: Mon Jun 26 01:27:19 PDT 2000 
State-Changed-Why:  
Closed on originator's request. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19431 
>Unformatted:
