Add ssh_keygen_flags variable to rc.conf to allow users to set the

size of auto-generated keys if desired.

etc/defaults/rc.conf

@@ -1,4 +1,4 @@
-#	$NetBSD: rc.conf,v 1.55 2004/01/31 21:49:52 christos Exp $
+#	$NetBSD: rc.conf,v 1.56 2004/02/18 17:36:34 jonb Exp $
 #
 # /etc/defaults/rc.conf --
 #	default configuration of /etc/rc.conf
@@ -186,6 +186,7 @@ ntpd=NO			ntpd_flags=""		# see below for ntpd_chrootdir
 postfix=NO
 lpd=NO			lpd_flags="-s"		# -s "secure" unix domain only
 sshd=NO			sshd_flags=""
+ssh_keygen_flags="-b 1024"	# generate 1024 bit keys if host keys missing
 
 # sendmail can now be run either as a suid root binary or as a sgid
 # smmsp binary.  In the former case, you must not have the file

etc/rc.d/sshd

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $NetBSD: sshd,v 1.18 2002/04/29 08:23:34 lukem Exp $
+# $NetBSD: sshd,v 1.19 2004/02/18 17:36:34 jonb Exp $
 #
 
 # PROVIDE: sshd
@@ -24,7 +24,7 @@ sshd_keygen()
 		    "in /etc/ssh/ssh_host_key"
 		echo "Skipping protocol version 1 RSA Key Generation"
 	else
-		/usr/bin/ssh-keygen -t rsa1 -b 1024 \
+		/usr/bin/ssh-keygen -t rsa1 ${ssh_keygen_flags} \
 		    -f /etc/ssh/ssh_host_key -N ''
 	fi
 
@@ -33,7 +33,8 @@ sshd_keygen()
 		    "in /etc/ssh/ssh_host_dsa_key"
 		echo "Skipping protocol version 2 DSA Key Generation"
 	else
-		/usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
+		/usr/bin/ssh-keygen -t dsa ${ssh_keygen_flags} \
+		    -f /etc/ssh/ssh_host_dsa_key -N ''
 	fi
 
 	if [ -f /etc/ssh/ssh_host_rsa_key ]; then
@@ -41,7 +42,8 @@ sshd_keygen()
 		    "in /etc/ssh/ssh_host_rsa_key"
 		echo "Skipping protocol version 2 RSA Key Generation"
 	else
-		/usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
+		/usr/bin/ssh-keygen -t rsa ${ssh_keygen_flags} \
+		    -f /etc/ssh/ssh_host_rsa_key -N ''
 	fi
 	)
 }