Here is a set of patches that add functionality to rc.conf allowing users an easy way to control the length of the host keys used with ssh (specifically RSA and ECDSA used with protocol version 2). I would like to also discuss the merits of changing FreeBSD's default behavior to using 4096 bit RSA keys and 521 bit ECDSA keys. I have refrained from changing FreeBSD's default behavior in these patches and stuck to just adding configurability. Please let me know if you see any problems with these patches. -------------- next part -------------- A non-text attachment was scrubbed... Name: rc.conf.5.diff Type: application/octet-stream Size: 1188 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20120624/6228f990/rc.conf.5.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: rc.conf.diff Type: application/octet-stream Size: 624 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20120624/6228f990/rc.conf.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: sshd.diff Type: application/octet-stream Size: 756 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20120624/6228f990/sshd.obj
On 24. Jun 2012, at 16:07 , Robert Simmons wrote:> Here is a set of patches that add functionality to rc.conf allowing > users an easy way to control the length of the host keys used with ssh > (specifically RSA and ECDSA used with protocol version 2).Created for, not used with -- right? The used with is controlled in sshd_config and if the key is not there but it's enabled in sshd_config you'll get a warning on boot which is very annoying.> I would like to also discuss the merits of changing FreeBSD's default > behavior to using 4096 bit RSA keys and 521 bit ECDSA keys. > > I have refrained from changing FreeBSD's default behavior in these > patches and stuck to just adding configurability.Do we differ from what the OpenSSH defaults are? /bz -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!
On 06/24/2012 09:07, Robert Simmons wrote:> Here is a set of patches that add functionality to rc.conf allowing > users an easy way to control the length of the host keys used with sshSorry, this doesn't belong in rc.d. The defaults are more than sufficient for the overwhelming majority of FreeBSD users. As has already been pointed out to you, the key can easily be changed after the system has booted for the first time. Knobs in rc.d should be for things that users are likely to need to configure, and/or need to be run often. Host key generation happens exactly one time in the life of a system, so this is neither. ... and yes, I stay very up to date on current discussions of cryptographic topics, including RSA key lengths. If you can point to a realistic threat model that would allow a 2048 bit key to be compromised where a larger RSA key would not, it would be worthwhile to have a discussion about changing the defaults. But it still wouldn't belong in rc.d. hope this helps, Doug -- This .signature sanitized for your protection