The sshd init script runs `ssh-keygen -A` which generates a default set of keys in /etc/ssh/, but if I specifically have a configuration to not use certain keys, there's no clean way to prevent the init script from generating them anyway. Another Linux distribution (Alpine Linux) addressed this issue by introducing an option in /etc/conf.d/sshd (they named it "SSHD_DISABLE_KEYGEN") to disable generating keys: https://git.alpinelinux.org/aports/commit/?id=a439ca13411b044211fcb9a8137647ce4033b448 I think it's a good idea, and I think Gentoo should do the same.
Sounds like pointless complexity to me. The keys are really only generated once per system.
Not sure what you mean. Are you saying the current logic of having keys be generated as part of the init script is pointless complexity, or are you saying that adding a configuration option to disable it would be pointless complexity? FWIW I'd also accept just not generating the keys at all as part of the init script, but I'm not sure where they would be generated then -- as part of the ebuild maybe, if no keys exist? I wonder how other distributions do it. Or if it is decided that it *must* be in the init script as a safety check, then instead of adding a configuration option to disable it the logic could be changed to only generate the keys if there are none at all in /etc/ssh/.
Adding a variable to optionally disable key generation in the init script is pointless complexity. ssh-keygen -A will skip key creation if the keys are already there. It would only re-generate them if you remove the keys.
I mean, you can argue that it's complexity you're unwilling to add, but I wouldn't call it pointless. Gentoo is all about having fine control over one's system, and I don't want to use DSA or ECDSA keys. So the point is to not have the system generating keys I won't use and don't want used accidentally. If the keys are supposed to be generated once per system, then why would you have the init script generating keys it deems as missing on every stop and start of sshd? Is that generally considered a good practice? I'm not asking hypothetically, I'm actually not sure. Also (though this is sort of beside the point), depending on one's security and threat models, you actually may want to generate these keys more often than just once.
To clarify, ssh-keygen is regenerating the DSA and ECDSA keys I've deleted despite the presence of RSA and ED25519 keys.
The keys are generated as part of the init script because we have to support things like 'live' environments (see bug 675922 for a recent example). We cannot determine which keys you are using. Next user could file same bug because his/her configuration uses different name/location and therefore doesn't need 'default' keys. It's not really worth to talk about this given that there isn't really any IO involved when keys exists (which is the normal state) and file size is.. c'mon. IF you, for some reason, don't want that keys and always delete because you use a configuration management tool, I recommend to roll your own runscript without ssh-keygen call as well.