Index | Thread | Search

From:
Stuart Henderson <stu@spacehopper.org>
Subject:
Re: Add ML-DSA-44 / Ed25519 hybrid SSH host keys to changelist and mtree
To:
Bjorn Ketelaars <bket@openbsd.org>
Cc:
tech@openbsd.org
Date:
Fri, 26 Jun 2026 15:57:04 +0100

Download raw body.

Thread 
On 2026/06/26 16:39, Bjorn Ketelaars wrote:
> With OpenSSH introducing ML-DSA-44 / Ed25519 hybrid host keys, they
> probably need to be tracked in /etc/changelist and /etc/mtree/special.
> 
> Diff below adds the new host keys with the appropriate permissions (0600
> for the private key, 0644 for the public key) and marks them as
> optional.
> 
> Comments / OK?

ok. ssh-keygen -A generates them already, so the files should be tracked.

> 
> diff --git etc/changelist etc/changelist
> index 0dc0188b184..a1e2b12412d 100644
> --- etc/changelist
> +++ etc/changelist
> @@ -145,6 +145,8 @@
>  /etc/ssh/ssh_host_ed25519_key.pub
>  +/etc/ssh/ssh_host_key
>  /etc/ssh/ssh_host_key.pub
> ++/etc/ssh/ssh_host_mldsa44_ed25519_key
> +/etc/ssh/ssh_host_mldsa44_ed25519_key.pub
>  +/etc/ssh/ssh_host_rsa_key
>  /etc/ssh/ssh_host_rsa_key.pub
>  /etc/ssh/sshd_config
> diff --git etc/mtree/special etc/mtree/special
> index 05e89c65e23..34dde68bb36 100644
> --- etc/mtree/special
> +++ etc/mtree/special
> @@ -106,6 +106,8 @@ ssh_host_ed25519_key	type=file mode=0600 uname=root gname=wheel optional
>  ssh_host_ed25519_key.pub	type=file mode=0644 uname=root gname=wheel optional
>  ssh_host_key	type=file mode=0600 uname=root gname=wheel optional
>  ssh_host_key.pub	type=file mode=0644 uname=root gname=wheel optional
> +ssh_host_mldsa44_ed25519_key	type=file mode=0600 uname=root gname=wheel optional
> +ssh_host_mldsa44_ed25519_key.pub	type=file mode=0644 uname=root gname=wheel optional
>  ssh_host_rsa_key	type=file mode=0600 uname=root gname=wheel optional
>  ssh_host_rsa_key.pub	type=file mode=0644 uname=root gname=wheel optional
>  sshd_config	type=file mode=0644 uname=root gname=wheel
>