Date: Sun, 24 Jun 2012 12:07:24 -0400 From: Robert Simmons <rsimmons0@gmail.com> To: freebsd-security@freebsd.org Subject: Add rc.conf variables to control host key length Message-ID: <CA%2BQLa9CX26xEwRsz3g6FvBBbbFE0Gfw%2BUR6_RHYOXgZFcgCw5w@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Here is a set of patches that add functionality to rc.conf allowing
users an easy way to control the length of the host keys used with ssh
(specifically RSA and ECDSA used with protocol version 2).
I would like to also discuss the merits of changing FreeBSD's default
behavior to using 4096 bit RSA keys and 521 bit ECDSA keys.
I have refrained from changing FreeBSD's default behavior in these
patches and stuck to just adding configurability.
Please let me know if you see any problems with these patches.
[-- Attachment #2 --]
--- src/share/man/man5/rc.conf.5.old 2012-06-24 11:26:30.367361969 -0400
+++ src/share/man/man5/rc.conf.5 2012-06-24 11:49:50.411334479 -0400
@@ -3664,6 +3664,32 @@
these are the flags to pass to the
.Xr sshd 8
daemon.
+.It Va rsa_keysize_flag
+.Pq Vt str
+If
+.Va sshd_enable
+is set to
+.Dq Li YES ,
+this is the flag to pass to
+.Xr ssh-keygen 1
+that specifies the number of bits to create in the RSA host key used with ssh
+protocol version 2.
+The minimum size is 768 bits, and the default is 2048 bits.
+Generally, 2048 bits is considered sufficient, but the maximum is 4096 bits.
+Leaving this empty will set the size to default.
+.It Va ecdsa_keysize_flag
+.Pq Vt str
+If
+.Va sshd_enable
+is set to
+.Dq Li YES ,
+this is the flag to pass to
+.Xr ssh-keygen 1
+that determines the key length by selecting from one of three elliptic curve
+sizes used to generate the ECDSA key used with ssh protocol version 2.
+The three choices are 256, 384, and 521 bits with 256 bits being the default.
+Attempting to use bit lengths other than these three values will fail.
+Leaving this empty will set the size to default.
.It Va ftpd_program
.Pq Vt str
Path to the FTP server program
[-- Attachment #3 --]
--- src/etc/defaults/rc.conf.old 2012-06-24 11:17:33.095372518 -0400
+++ src/etc/defaults/rc.conf 2012-06-24 11:53:47.283329830 -0400
@@ -316,6 +316,8 @@
sshd_enable="NO" # Enable sshd
sshd_program="/usr/sbin/sshd" # path to sshd, if you want a different one.
sshd_flags="" # Additional flags for sshd.
+rsa_keysize_flag="" # keysize flag for ssh-keygen, v2 RSA keys
+ecdsa_keysize_flag="" # keysize flag for ssh-keygen, v2 ECDSA keys
ftpd_enable="NO" # Enable stand-alone ftpd.
ftpd_program="/usr/libexec/ftpd" # Path to ftpd, if you want a different one.
ftpd_flags="" # Additional flags to stand-alone ftpd.
[-- Attachment #4 --]
--- src/etc/rc.d/sshd.old 2012-06-24 11:54:51.235328574 -0400
+++ src/etc/rc.d/sshd 2012-06-24 11:56:49.835326245 -0400
@@ -74,7 +74,8 @@
"in /etc/ssh/ssh_host_rsa_key"
echo "Skipping protocol version 2 RSA Key Generation"
else
- /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
+ /usr/bin/ssh-keygen ${rsa_keysize_flag} -t rsa \
+ -f /etc/ssh/ssh_host_rsa_key -N ''
fi
if [ -f /etc/ssh/ssh_host_ecdsa_key ]; then
@@ -82,7 +83,8 @@
"in /etc/ssh/ssh_host_ecdsa_key"
echo "Skipping protocol version 2 ECDSA Key Generation"
else
- /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
+ /usr/bin/ssh-keygen ${ecdsa_keysize_flag} -t ecdsa \
+ -f /etc/ssh/ssh_host_ecdsa_key -N ''
fi
)
}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BQLa9CX26xEwRsz3g6FvBBbbFE0Gfw%2BUR6_RHYOXgZFcgCw5w>