From nobody Tue Sep 24 18:41:00 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XCpbL1TF1z5Y8nV for ; Tue, 24 Sep 2024 18:41:02 +0000 (UTC) (envelope-from 0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@amazonses.com) Received: from a8-56.smtp-out.amazonses.com (a8-56.smtp-out.amazonses.com [54.240.8.56]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4XCpbK4V50z4jHR for ; Tue, 24 Sep 2024 18:41:01 +0000 (UTC) (envelope-from 0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@amazonses.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tarsnap.com header.s=dqtolf56kk3wpt62c3jnwboqvr7iedax header.b=UpYtC2Yy; dkim=pass header.d=amazonses.com header.s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug header.b=dtTiPyht; dmarc=pass (policy=none) header.from=tarsnap.com; spf=pass (mx1.freebsd.org: domain of 0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@amazonses.com designates 54.240.8.56 as permitted sender) smtp.mailfrom=0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@amazonses.com DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=dqtolf56kk3wpt62c3jnwboqvr7iedax; d=tarsnap.com; t=1727203260; h=Message-ID:Date:MIME-Version:To:Cc:From:Subject:Content-Type:Content-Transfer-Encoding; bh=TB34AhS01NI0O2iJ+zwALQygyHILr4FgVkL8XRvBAbU=; b=UpYtC2YyN5UDLta+ybGwS+U45OK8oASMhE773neNnPRB3LYYsYLdKtAj3XEz08pM 4/gXK2hmdYt2A6rs0eD5E8m1BiOqDHlzaJFYXQK7rvkpb7vDZvcvT3LTE6LwHG9XJ0N qrLVwrSYKr5NWX/BSCOKiI1To2VpBw9ZYsasABN0= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1727203260; h=Message-ID:Date:MIME-Version:To:Cc:From:Subject:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=TB34AhS01NI0O2iJ+zwALQygyHILr4FgVkL8XRvBAbU=; b=dtTiPyhtn91Bn5xJKrbQsPgsEZAul89cOK6Wyhmz2H479QhoRnPVG06vUB+1NV81 ZWmOUs03TywJHVdUJb7RriRAo/slbKsfZoROwWdcsfKzOfW49ipgcIKA1KDE3nAPKrk DqUZ4DncrH3R2bI9EOWIzjzwmJLkzIuARjqsya0A= Message-ID: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> Date: Tue, 24 Sep 2024 18:41:00 +0000 List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: freebsd-arch@freebsd.org Cc: Li-Wen Hsu , Ronald Klop From: Colin Percival Subject: Deprecating RSA ssh host keys in 16 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Feedback-ID: ::1.us-east-1.Lv9FVjaNvvR5llaqfLoOVbo2VxOELl7cjN0AOyXnPlk=:AmazonSES X-SES-Outgoing: 2024.09.24-54.240.8.56 X-Spamd-Result: default: False [-1.39 / 15.00]; FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.998]; DMARC_POLICY_ALLOW(-0.50)[tarsnap.com,none]; FORGED_SENDER(0.30)[cperciva@tarsnap.com,0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@amazonses.com]; R_DKIM_ALLOW(-0.20)[tarsnap.com:s=dqtolf56kk3wpt62c3jnwboqvr7iedax,amazonses.com:s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug]; R_SPF_ALLOW(-0.20)[+ip4:54.240.0.0/18:c]; RWL_MAILSPIKE_VERYGOOD(-0.20)[54.240.8.56:from]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_IN_DNSWL_NONE(0.00)[54.240.8.56:from]; TO_DN_SOME(0.00)[]; ASN(0.00)[asn:14618, ipnet:54.240.8.0/21, country:US]; DKIM_TRACE(0.00)[tarsnap.com:+,amazonses.com:+]; MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_NEQ_ENVFROM(0.00)[cperciva@tarsnap.com,0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@amazonses.com]; DWL_DNSWL_NONE(0.00)[amazonses.com:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_THREE(0.00)[3] X-Rspamd-Queue-Id: 4XCpbK4V50z4jHR X-Spamd-Bar: - Hi all, Last week I turned off RSA host key generation for SSH in EC2 instances, because (a) modern SSH clients support ecdsa and ed25519 keys, and (b) generating RSA host keys was taking over 10% of the boot time when EC2 instances booted for the first time. I don't think we should turn off RSA host key generation in general in 15.x since for non-VM/cloud images the first boot time is less relevant (if you're installing from an ISO image, the installer will take far longer than the host key generation) but I think it would make sense to deprecate RSA host keys in 15 and then turn them off by default in 16. I'm not sure if there's any good way to announce the deprecation beyond putting it into the release notes; we could print a warning in 15 when RSA host keys are generated, but that will always fire regardless of whether they're being *used* and I don't think there's any practical way to warn specifically when RSA host keys are *used*. So unless I'm missing something, the deprecation would just take the form of a few lines in the release notes. Thoughts? Colin Percival From nobody Tue Sep 24 19:16:04 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XCqMs0MPnz5YBnc for ; Tue, 24 Sep 2024 19:16:09 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-il1-x141.google.com (mail-il1-x141.google.com [IPv6:2607:f8b0:4864:20::141]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XCqMr38SVz4nr5 for ; Tue, 24 Sep 2024 19:16:08 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-il1-x141.google.com with SMTP id e9e14a558f8ab-3a056727fdfso20693855ab.3 for ; Tue, 24 Sep 2024 12:16:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1727205367; x=1727810167; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=xYK083mtO0h3eYtudxgfRgEpST1uNpLHMN9pJCPeEsU=; b=Oa7I7usSihSHjLgLbGSaLyVrbjDDwvUE/XB6N3NCAsYPipDDWzPxPiD1WrNoL6A3tv c+0oTduLJiHEa/hunk7fatXfMQ4CpUw/4mMjZjCROVuEzrMyWsm8ONghU1EOIU+sgAys zxtvRO1qC29NEtCUmJ8qpvkTB6OMCxamjvI1DRn+KrO4VvUmeDiCqBrQrwnxZ/rUX5mp y6VX9bHGN98XD9t3K9c35pTz5OYTC2c4DES37HmGozyv2qtYzmGjy497XvoQsnKxBMjy W5jkgdx6NRYSxnUd+TZ3lOLV0eSfhCiuOdpWXFM1k0WT/t4LmO8KebmsCjbeJTdLjFGz bqIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727205367; x=1727810167; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=xYK083mtO0h3eYtudxgfRgEpST1uNpLHMN9pJCPeEsU=; b=aoJvXXlgpfGJ4mnIKcMCrq5HXNOlXLLS8s7Sl1ByP8qJZd7WNNkeR7nCNgwquu3ftu OLIpLUepeT653DqzJFm7gFbNI1eYRqz4GYBNOYjti/h0ljvhjlherKx54oWUGPCuNpW0 4b7KYJLZDDEUFpL3wSejD9ZjrOmkRmSCwWrSaZz3xA3rf36wVrocTP+gIE/gl7E0N/2S qQ2UXz5wUP5D9xQbFk4/cVJ7Dx2XYxqRM3zCJre0FVZGJXe4jzEwV0FdK1vXSUG8czck iy4Q+JcmdWVn4st3V92R2sFk6EBso8GS03yi5ec7uZIK7DlFLuKTwTIF+MK75EGrAfIV t3Ag== X-Gm-Message-State: AOJu0Yzyz77ZLPlFFIb11LWbZ3XhbuqIRdhyLrqD9/OFF1vQo8xwCYEq tfHC6xCum7+/1RT7tqL/1GZB1kDa0EnoEO2sxiIEHt9mmThV1HyERDGJSulvqfQ= X-Google-Smtp-Source: AGHT+IHJMYnVGAxiXFHS3cXKOwlxE9WVBRDjZrhmZPTyoWzAsVALz6cFoqwSA/CtpZeZZLLv11JgfA== X-Received: by 2002:a05:6e02:20ed:b0:3a0:9829:100b with SMTP id e9e14a558f8ab-3a26d7e4c11mr6369395ab.21.1727205367058; Tue, 24 Sep 2024 12:16:07 -0700 (PDT) Received: from mutt-hbsd (174-24-73-190.clsp.qwest.net. [174.24.73.190]) by smtp.gmail.com with ESMTPSA id e9e14a558f8ab-3a1a56c34aesm5546815ab.13.2024.09.24.12.16.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Sep 2024 12:16:05 -0700 (PDT) Date: Tue, 24 Sep 2024 19:16:04 +0000 From: Shawn Webb To: Colin Percival Cc: freebsd-arch@freebsd.org, Li-Wen Hsu , Ronald Klop Subject: Re: Deprecating RSA ssh host keys in 16 Message-ID: X-Operating-System: FreeBSD mutt-hbsd 15.0-CURRENT-HBSD FreeBSD 15.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="dyfjfljtd52fzlwq" Content-Disposition: inline In-Reply-To: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4XCqMr38SVz4nr5 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated --dyfjfljtd52fzlwq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 24, 2024 at 06:41:00PM UTC, Colin Percival wrote: > Hi all, >=20 > Last week I turned off RSA host key generation for SSH in EC2 instances, > because (a) modern SSH clients support ecdsa and ed25519 keys, and (b) > generating RSA host keys was taking over 10% of the boot time when EC2 > instances booted for the first time. >=20 > I don't think we should turn off RSA host key generation in general in > 15.x since for non-VM/cloud images the first boot time is less relevant > (if you're installing from an ISO image, the installer will take far > longer than the host key generation) but I think it would make sense to > deprecate RSA host keys in 15 and then turn them off by default in 16. >=20 > I'm not sure if there's any good way to announce the deprecation beyond > putting it into the release notes; we could print a warning in 15 when > RSA host keys are generated, but that will always fire regardless of > whether they're being *used* and I don't think there's any practical way > to warn specifically when RSA host keys are *used*. So unless I'm > missing something, the deprecation would just take the form of a few lines > in the release notes. >=20 > Thoughts? With commit e3f33c64ec168a48038309af0c237eda86d10c74[1], introduced on 14 Nov 2024, HardenedBSD has disabled the generation of RSA host keys by default. We haven't seen any reports of any breakage. While the change might be considered a POLA violation, it seems pretty harmless on today's 15-CURRENT systems. We have a number of 15-CURRENT users, though we don't have any hard data, and likely pales in comparison to the FreeBSD side--enough so that the sample is too small to be a significant or reliable data point. I have this commit taged as MFC-able, though I haven't MFC'd just yet. It completely spaced my mind and I'll likely MFC shortly after sending this email. [1]: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/e3f33c64e= c168a48038309af0c237eda86d10c74 Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --dyfjfljtd52fzlwq Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmbzD+0ACgkQ/y5nonf4 4frLBxAAh3O+J8tPSX5p3SuvoPop/XoXt6dBl0svZkQhLatAmT3DNoXSxwNLOBV7 8U6CBMRH8JT1f0aT7R0WCjdsZTT7Bw0n7/HdlLjgw3Y+Mdltdd74mSxWcXfMjNtQ 5a+01q8Bg46cPNL9YgdSJX3emOUY86eQ6bWpbuJUxobN3iVtuKUhMzSxi4U1yfX+ bJhegd+Nf+DA1QgKAd6S0V97pc8+wgr/dNpNgpH+NRcGvfD2s8Ae/Fnzljvfd3WQ vucPBKipRZlU5nzx/eeziEkgNQghQD5w+0CkGlA9lshhmhz7/C/AA+wHhqWbS6MC lfKKMry1TF0aQPy62SUprAqnIMCm2bhsNbDdXB6jz9vTTKc+Db+pg976Jjcv3Nwe wb7Yiv+NDM64hZrsgEeK1reyzxSlGiqEHqBll7bsPPIcyvJLC925GV0TZPzqB1Sa gFyC2lOiC8BJweYlqzrF41HzeHolZHon78M6ww8N+C/ovl6e7JRVg2n5M3e8Kova x06pqDZXpUBp6K/BqsBS1Wfe/Yf7eGuvgvk1TYrUp9tMoseTweIDWm3vyb/iKQ9g i+E8n6faq7JuR9GZl5hBWuNrpYIoB0CKUOaIO3WaUi+spyRKIJfrVDF/+PNntoi5 ls2bHnscUHIswVYnI3JRza997M2u7FYvNbzhG7cvWrMzHrEnRrg= =Qlbi -----END PGP SIGNATURE----- --dyfjfljtd52fzlwq-- From nobody Tue Sep 24 19:20:11 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XCqSZ6b8Dz5YBtJ for ; Tue, 24 Sep 2024 19:20:14 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-io1-xd44.google.com (mail-io1-xd44.google.com [IPv6:2607:f8b0:4864:20::d44]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XCqSZ04c1z4pxr for ; Tue, 24 Sep 2024 19:20:14 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=fXROAXb7; dmarc=none; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2607:f8b0:4864:20::d44 as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org Received: by mail-io1-xd44.google.com with SMTP id ca18e2360f4ac-82aa6be8457so8077139f.0 for ; Tue, 24 Sep 2024 12:20:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1727205613; x=1727810413; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=st0Uuv5q/+CRbCwjgyTnkI9Y41Le0yd0xrm045xb+7M=; b=fXROAXb7SZIvB3fMPhcCfMMSo0CGJDsw2Wg6iehPmmrUOKuBmDMM1Z4B4F4jnG8fF6 5AYxTyzfPgbD4Y5LwN4b2ANB1xm8MPYrBfNlydmkI9J2gqDst8hnsZKpuG8OwBMjM70S gd9Ezfcw9hocHR2Fum9wVpGr/w6Ho4/iNXwRiWij6OjQiuD5KpGbrefYw4h6qJQydK+b vkzbGoqR7tc5PEAtbdPouhcjnj/Tv4iLx7ppikfSTllw4wKmHUFK98nqu2noG4SbrjV1 n1i81uCqM74qW9/6pX5OoSq6XqvN0XhuPVt28pvwFr8dVMvrK1j56NtXCypAUY1kTqnK 7wNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727205613; x=1727810413; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=st0Uuv5q/+CRbCwjgyTnkI9Y41Le0yd0xrm045xb+7M=; b=sALcwIEH/ecKB24QJ1EU1HKr63qfwMtqyc3zkh4llQkorGaWNs1lvK6L6Yho7VKPuh 5X/ZKk3O1H6S600u90/0/ZuZ09ves7a/kOUOuXqeAMnRYGI1PVqZuqxBLNcqMW6hR00b NQAhY+GAXNKIpoEsoqFlRXW+GgpN63w91RgeSWdrdd9qw+r4GCzZ5ljFIj6pVs0foq/j hMUuB2j4TVU+sD8wpEQypO/yd1N569Ro4YU1y+XP0Hf0BaWDLSyRVDQBC67ITxnL7Xtn QzC6zOzEzNIRjxcLArXfF9EF+qM3rNcgy9+TfVa5obzLhWloxfxrYnk0LpsiSD1Eg1wg dE0g== X-Gm-Message-State: AOJu0YzqXEv33tee/VwX4ay3l4zr0+nHy2n0jyv4VGNJWJvv7dy5fSAS misiPqgp34fTJoKtKqqWoesmrds04cMihUb8dtyobXGL6NBYXHXpd7gz5IfZ5Es= X-Google-Smtp-Source: AGHT+IELVFexMvBz9Vq4SIgln5hqxKP/Kh0GEOH2+TKp+jU8OJWO6na4MmRM+FqRJaFtRsD/hGnFPg== X-Received: by 2002:a6b:641a:0:b0:81f:8665:da0a with SMTP id ca18e2360f4ac-8323b936804mr330684939f.1.1727205612733; Tue, 24 Sep 2024 12:20:12 -0700 (PDT) Received: from mutt-hbsd (174-24-73-190.clsp.qwest.net. [174.24.73.190]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4d40f1bc9a5sm572199173.115.2024.09.24.12.20.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Sep 2024 12:20:12 -0700 (PDT) Date: Tue, 24 Sep 2024 19:20:11 +0000 From: Shawn Webb To: Colin Percival Cc: freebsd-arch@freebsd.org, Li-Wen Hsu , Ronald Klop Subject: Re: Deprecating RSA ssh host keys in 16 Message-ID: <7ujil5wxcwnmoobmjsmtdvfubmb3eiqcsblut3lwt7ussdxwxq@6qskqqcvfkcu> X-Operating-System: FreeBSD mutt-hbsd 15.0-CURRENT-HBSD FreeBSD 15.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3ilyi4az2clng65x" Content-Disposition: inline In-Reply-To: X-Spamd-Result: default: False [-5.10 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MID_RHS_NOT_FQDN(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MISSING_XM_UA(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::d44:from]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; DMARC_NA(0.00)[hardenedbsd.org]; MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-arch@freebsd.org]; DKIM_TRACE(0.00)[hardenedbsd.org:+] X-Rspamd-Queue-Id: 4XCqSZ04c1z4pxr X-Spamd-Bar: ----- --3ilyi4az2clng65x Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 24, 2024 at 07:16:04PM UTC, Shawn Webb wrote: > On Tue, Sep 24, 2024 at 06:41:00PM UTC, Colin Percival wrote: > > Hi all, > >=20 > > Last week I turned off RSA host key generation for SSH in EC2 instances, > > because (a) modern SSH clients support ecdsa and ed25519 keys, and (b) > > generating RSA host keys was taking over 10% of the boot time when EC2 > > instances booted for the first time. > >=20 > > I don't think we should turn off RSA host key generation in general in > > 15.x since for non-VM/cloud images the first boot time is less relevant > > (if you're installing from an ISO image, the installer will take far > > longer than the host key generation) but I think it would make sense to > > deprecate RSA host keys in 15 and then turn them off by default in 16. > >=20 > > I'm not sure if there's any good way to announce the deprecation beyond > > putting it into the release notes; we could print a warning in 15 when > > RSA host keys are generated, but that will always fire regardless of > > whether they're being *used* and I don't think there's any practical way > > to warn specifically when RSA host keys are *used*. So unless I'm > > missing something, the deprecation would just take the form of a few li= nes > > in the release notes. > >=20 > > Thoughts? >=20 > With commit e3f33c64ec168a48038309af0c237eda86d10c74[1], introduced on > 14 Nov 2024, HardenedBSD has disabled the generation of RSA host keys > by default. Whoops, time travel hasn't been invented yet. (Or so we think? ;-P) That would be 14 Nov 2023. >=20 > We haven't seen any reports of any breakage. While the change might be > considered a POLA violation, it seems pretty harmless on today's > 15-CURRENT systems. >=20 > We have a number of 15-CURRENT users, though we don't have any hard > data, and likely pales in comparison to the FreeBSD side--enough so > that the sample is too small to be a significant or reliable data > point. >=20 > I have this commit taged as MFC-able, though I haven't MFC'd just yet. > It completely spaced my mind and I'll likely MFC shortly after sending > this email. >=20 > [1]: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/e3f33c6= 4ec168a48038309af0c237eda86d10c74 >=20 > Thanks, >=20 > --=20 > Shawn Webb > Cofounder / Security Engineer > HardenedBSD >=20 > Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 > https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/0= 3A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --3ilyi4az2clng65x Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmbzEOsACgkQ/y5nonf4 4fqcaw//Xcr5Y3ZNyyJedlpKuL3jUPGg6SW8RlVGm3G5I0iq53wjhGrfXCkhT9Jj Pel3XsX1jzPmHJCHreeYk1W4tBB1mOuKTabRLNaLY00smvZdBPxYQWoK2iIsYko6 otww9tlzDONeA14iMZo2y3I8JkhiLXLsW3zKav1nq6/tSdCebojUsCN46Q8B7cT8 g6S70a70cx2cCBEQXpVa7h45diacfJoUhdBMFsqoITKN0ZUpWEIXT+9gPPHxhmYK CsSvYa7E7ihJ2L1/nkmc0XFd2Kq9csXI1ABAbUPfKPh28PKm6wHFazRZAZn5Bkey moElm69a4/ACPX5Vk8/Scd9yUG3OlnsVxSYjTp13EubzssLi4jw1jMEEATzMPnmK 8C6OxZlPqXFOw7No6hwW2VghjF+wNBcuHZ0qLxxE783SABSWGIwvuaAOh4BDja6r JAZfirgaMH9EzPWcsgyET0ZmmEstxRHZWzFB7/Agebl9AFvLqEpw7GwExFGY/sRu SfmQIbX3690zekq7VXKy0xQboyDEp3Q4BZPo/nPyF0karLx0vbxbHxwtx0l9cD6N fGjTpOSh4EaF9EG26S/CDVNDbd5mGAq4hH7ttApe8BOr0turKborVbBkcOG3XAbw aJp1Ia5PSgRvU1waRF7HFR/aSBBsjxJkF2svDDp7qOKwPPLSg4g= =JaC5 -----END PGP SIGNATURE----- --3ilyi4az2clng65x-- From nobody Wed Sep 25 15:19:15 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XDL450mPnz5XLxv for ; Wed, 25 Sep 2024 15:19:17 +0000 (UTC) (envelope-from 0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@amazonses.com) Received: from a8-56.smtp-out.amazonses.com (a8-56.smtp-out.amazonses.com [54.240.8.56]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4XDL446Bd8z4NNN for ; Wed, 25 Sep 2024 15:19:16 +0000 (UTC) (envelope-from 0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@amazonses.com) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=dqtolf56kk3wpt62c3jnwboqvr7iedax; d=tarsnap.com; t=1727277556; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding; bh=GXATfK2z4q7/HznnrcalJZg0lvC/0jb6fg9z8yGwRzw=; b=Up/UqclOLz7Y9kIqravoxgZaeyEaokN21nqaVfadLRgO1Q/25PbK7pVxspDAHMEa 8bXXQopkHbFMFeJ4LcgYS6ERT6tlcBOz7/KgSBFU3w6pU/O+K+ANvZAU4YeC04Auc7j jEp9L5zheswpSdKgyFg929phv7C4HxZ0q/Rp/PjY= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1727277556; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=GXATfK2z4q7/HznnrcalJZg0lvC/0jb6fg9z8yGwRzw=; b=PcEKylmx9+cdKJrJ0wQ4h0d3h5YZXFte4IltHbPbfqGALG9pC6437Nht3mxuhEvv 5hcjfaQpcKuDSjvfCo2QhZoZXMQqBFyVaSZ6sjNLWpfHMerSCqr3vTMijm3635l2aD6 E+Cu/9ONjEUyd040uCFMRoau68STGo0E9FoNz/h8= Message-ID: <0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@email.amazonses.com> Date: Wed, 25 Sep 2024 15:19:15 +0000 List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Deprecating RSA ssh host keys in 16 To: Shawn Webb Cc: freebsd-arch@freebsd.org, Li-Wen Hsu , Ronald Klop References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> Content-Language: en-US From: Colin Percival In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Feedback-ID: ::1.us-east-1.Lv9FVjaNvvR5llaqfLoOVbo2VxOELl7cjN0AOyXnPlk=:AmazonSES X-SES-Outgoing: 2024.09.25-54.240.8.56 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:14618, ipnet:54.240.8.0/21, country:US] X-Rspamd-Queue-Id: 4XDL446Bd8z4NNN X-Spamd-Bar: ---- On 9/24/24 12:16, Shawn Webb wrote: > On Tue, Sep 24, 2024 at 06:41:00PM UTC, Colin Percival wrote: >> I don't think we should turn off RSA host key generation in general in >> 15.x since for non-VM/cloud images the first boot time is less relevant >> (if you're installing from an ISO image, the installer will take far >> longer than the host key generation) but I think it would make sense to >> deprecate RSA host keys in 15 and then turn them off by default in 16. >> [...] > > With commit e3f33c64ec168a48038309af0c237eda86d10c74[1], introduced on > 14 Nov 2024, HardenedBSD has disabled the generation of RSA host keys > by default. > > We haven't seen any reports of any breakage. While the change might be > considered a POLA violation, it seems pretty harmless on today's > 15-CURRENT systems. > > We have a number of 15-CURRENT users, though we don't have any hard > data, and likely pales in comparison to the FreeBSD side--enough so > that the sample is too small to be a significant or reliable data > point. It's still a very helpful data point! I've also had one response from someone with old IoT systems which only understand RSA host keys, so I think my proposed timeline of "warn people now that it will be disabled by default in 16" is the way to go. Colin Percival From nobody Wed Sep 25 17:24:54 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XDNs35KpFz5XV9G for ; Wed, 25 Sep 2024 17:24:55 +0000 (UTC) (envelope-from des@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XDNs344trz4dnH; Wed, 25 Sep 2024 17:24:55 +0000 (UTC) (envelope-from des@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727285095; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ii7CYjRmKThevR4actsSDJcqRpFVTPmVGBJEpdPvsjU=; b=vNNgSlANfHEiS6Q4hIFZWIjPLKvhSNT5yRppcSQE2QdeSP9v5bvsf0JxrtJzJ8UbyG4xjt sLA7FXbS4YbYVkMgNwGpUOl21yErX1UsPioM/Uq/WBFVwYTsd7ZShP5Gjt4edLvqIYslSy /UdrJcraFFc0vm6kYnH4mwCDSdqYacZz8taqVOMLqd1OCTd+5ga1q6O2FFHmFMHiUV/Wib NuECYKzdcXQmugPY3oK6r5JXduoOVaByYHVkNMxkxWLHgHI4j2qsnyahZL9dmnU0wXQjvD PM8TYR5nR6Joeyzo7BAx8jxBQCK/3GfUUDryUFVqE/8bA2EXjxtV53+gAeGQFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727285095; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ii7CYjRmKThevR4actsSDJcqRpFVTPmVGBJEpdPvsjU=; b=kVdNVdOXDbE5ajqqUh1wOekrKxn521kIFqRbvsiiadMCTlXEoPbmucP6VNAwddSaSPi5kP ZXjoG+UIlE+oWBe+LtF9mGFNBiMb08QqWI6weBLH0hmmEo6E9JTgR9n8EGKp2ugYTjmi9l VQLoo+oj5ucu5sDErYJRiPbKgV9ydGbeNliC7CyMWFffXb/+5XhNSK//Fie98GO+CP0tcC dqdpel9NRpYpJDlv9v/gBoCM2hcpQ5olmahknvx8iHo6w32R+X+j/AjBDUeKslXX9kTDLS cAeq4baSbSEoIIqlI62yDEuh/YKr/DXyuRYX8Zr/XGyxDw3c3ejyYviI9nCmcA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1727285095; a=rsa-sha256; cv=none; b=n34cu4Eh7lCgCFLxkEpZCPPPjykCr3tIkvc0xJUTTWNLv2G1SyL5CxUr5LyofM0t48ljGq 8U27HLMjWfmsNcrQbHSHzUoPn3e3aHZmZBEUoUjvc6ZlBoWV9d69YRvUyyp2YnEyn0LAB5 y4EPr2qI/WE5qKyNE1sRZBU42tlloies5N5z2wB+L7K2H+pqkp3P2gPfV7gs8npStCiIGN Dio9djB94/MMFDZYqo1/uwOgGNaDsMf/iS2x4RUO/+13cigN32XdAZAoDQKr24AHFtsd17 z8c3YEz9wowogJI5ckkHWzRjSOwrP4U0N4PDsOLEEnJ+49A8jkIWUtbvHEBYvA== Received: from ltc.des.dev (unknown [IPv6:2a01:e0a:386:9c20:922e:16ff:fef1:acef]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: des) by smtp.freebsd.org (Postfix) with ESMTPSA id 4XDNs32wZBz16pY; Wed, 25 Sep 2024 17:24:55 +0000 (UTC) (envelope-from des@freebsd.org) Received: by ltc.des.dev (Postfix, from userid 1001) id 3E174BF131; Wed, 25 Sep 2024 19:24:54 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Colin Percival Cc: Shawn Webb , freebsd-arch@freebsd.org, Li-Wen Hsu , Ronald Klop Subject: Re: Deprecating RSA ssh host keys in 16 In-Reply-To: <0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@email.amazonses.com> (Colin Percival's message of "Wed, 25 Sep 2024 15:19:15 +0000") References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> <0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@email.amazonses.com> User-Agent: Gnus/5.13 (Gnus v5.13) Date: Wed, 25 Sep 2024 19:24:54 +0200 Message-ID: <868qvfy7bt.fsf@ltc.des.dev> List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Colin Percival writes: > It's still a very helpful data point! I've also had one response from > someone with old IoT systems which only understand RSA host keys, so I > think my proposed timeline of "warn people now that it will be disabled > by default in 16" is the way to go. Why is an IoT system making outbound ssh connections? That's the only way it would ever be aware of another system's host key. Btw, I believe there is either a Bugzilla ticket or a Phabricator review somewhere that makes the list of host key algorithms configurable (and it's trivial to recreate if you can't find it). Oh, and should we perhaps also disable (non-elliptic) DSA host keys? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org From nobody Wed Sep 25 20:42:49 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XDTFR0KyFz5Xh7M for ; Wed, 25 Sep 2024 20:42:51 +0000 (UTC) (envelope-from 010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@amazonses.com) Received: from a8-13.smtp-out.amazonses.com (a8-13.smtp-out.amazonses.com [54.240.8.13]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4XDTFQ0mFQz56ZX for ; Wed, 25 Sep 2024 20:42:50 +0000 (UTC) (envelope-from 010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@amazonses.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tarsnap.com header.s=dqtolf56kk3wpt62c3jnwboqvr7iedax header.b=SvW62vMf; dkim=pass header.d=amazonses.com header.s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug header.b=aKRZdDn9; spf=pass (mx1.freebsd.org: domain of 010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@amazonses.com designates 54.240.8.13 as permitted sender) smtp.mailfrom=010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@amazonses.com; dmarc=pass (policy=none) header.from=tarsnap.com DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=dqtolf56kk3wpt62c3jnwboqvr7iedax; d=tarsnap.com; t=1727296969; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding; bh=ki/KsIDh2CcA0KFGa4zidgR2/yQXfTNAOgxCCgE47rc=; b=SvW62vMf6LgljtRA9wQX7o3y8LtQefSph5dGs7QsT9Z/f6fSHkR3DPBIt1f6Fe9y xSKhIxweXdzeYqlachRgZn1feyB1poCH/P2NUdEgsktWm0YilobGkuHnGzfYKLbEnz0 gSaFHAXfDdVnAhGSaurX48MP2u+C5xaigDDiTlg0= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1727296969; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=ki/KsIDh2CcA0KFGa4zidgR2/yQXfTNAOgxCCgE47rc=; b=aKRZdDn9ugkNG9JXGCDiT4AF2yem8oC9TifK2QXukgfq8b7dZG86PrMdOYdde232 GAoYraEHC0ExC9WQizQNsSO3t4Nt937Jrks/sRLLqU/1FLZ27AbWndgwOygVWPlsJxo zza/LaRQhGBC/eDGIB/C8iC6GQN/6WFFU+XzPiW4= Message-ID: <010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@email.amazonses.com> Date: Wed, 25 Sep 2024 20:42:49 +0000 List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Deprecating RSA ssh host keys in 16 To: Xin LI , =?UTF-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Cc: Shawn Webb , freebsd-arch@freebsd.org, Li-Wen Hsu , Ronald Klop References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> <0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@email.amazonses.com> <868qvfy7bt.fsf@ltc.des.dev> Content-Language: en-US From: Colin Percival In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Feedback-ID: ::1.us-east-1.Lv9FVjaNvvR5llaqfLoOVbo2VxOELl7cjN0AOyXnPlk=:AmazonSES X-SES-Outgoing: 2024.09.25-54.240.8.13 X-Spamd-Result: default: False [-1.29 / 15.00]; FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[tarsnap.com,none]; FORGED_SENDER(0.30)[cperciva@tarsnap.com,010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@amazonses.com]; R_SPF_ALLOW(-0.20)[+ip4:54.240.0.0/18:c]; R_DKIM_ALLOW(-0.20)[tarsnap.com:s=dqtolf56kk3wpt62c3jnwboqvr7iedax,amazonses.com:s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug]; RWL_MAILSPIKE_GOOD(-0.10)[54.240.8.13:from]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; MIME_TRACE(0.00)[0:+]; RCVD_IN_DNSWL_NONE(0.00)[54.240.8.13:from]; ASN(0.00)[asn:14618, ipnet:54.240.8.0/21, country:US]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; DKIM_TRACE(0.00)[tarsnap.com:+,amazonses.com:+]; FREEMAIL_TO(0.00)[gmail.com,freebsd.org]; MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_NEQ_ENVFROM(0.00)[cperciva@tarsnap.com,010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@amazonses.com]; DWL_DNSWL_NONE(0.00)[amazonses.com:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_FIVE(0.00)[6] X-Rspamd-Queue-Id: 4XDTFQ0mFQz56ZX X-Spamd-Bar: - On 9/25/24 13:07, Xin LI wrote: > On Wed, Sep 25, 2024 at 10:25 AM Dag-Erling Smørgrav > wrote: > Oh, and should we perhaps also disable (non-elliptic) DSA host keys? > > Yes, please remove the generation of DSA host keys (I thought it was removed > in 2018 when you imported OpenSSH 7.7, but turns out it's only removed from > sshd_config). DSA host key generation was disabled in af8ee1391d08c (August 2016). If you have DSA host keys I think they will get used, but we don't generate them by default now. > For the RSA host key I think deprecating now is fine and we should even remove > it from the default sshd_config configuration in 15.  OpenSSH implemented > ed25519 support in 6.5 (2014), which is 10 years ago, and ecdsa even earlier > than that, and for those who really needs it, they can always add it back to > sshd_config until the upstream have removed the support, which is probably not > going to happen anytime soon. The place which controls key generation is /etc/rc.d/sshd: : ${sshd_rsa_enable:="yes"} : ${sshd_dsa_enable:="no"} : ${sshd_ecdsa_enable:="yes"} : ${sshd_ed25519_enable:="yes"} and obviously the key-generation behaviour can be changed in /etc/rc.conf. Colin Percival From nobody Thu Sep 26 22:25:36 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XF7Zw3SSyz5X6Zs for ; Thu, 26 Sep 2024 22:30:16 +0000 (UTC) (envelope-from naddy@mips.inka.de) Received: from mail.inka.de (mail.inka.de [IPv6:2a04:c9c7:0:1073:217:a4ff:fe3b:e77c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4XF7Zt5S8bz4QD2; Thu, 26 Sep 2024 22:30:14 +0000 (UTC) (envelope-from naddy@mips.inka.de) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of naddy@mips.inka.de designates 2a04:c9c7:0:1073:217:a4ff:fe3b:e77c as permitted sender) smtp.mailfrom=naddy@mips.inka.de; dmarc=none Received: from mips.inka.de (naddy@[127.0.0.1]) by mail.inka.de with uucp (rmailwrap 0.5) id 1stwzt-001cQW-4O; Fri, 27 Sep 2024 00:30:05 +0200 Received: from lorvorc.mips.inka.de (localhost [127.0.0.1]) by lorvorc.mips.inka.de (8.18.1/8.18.1) with ESMTP id 48QMPa8r026076; Fri, 27 Sep 2024 00:25:36 +0200 (CEST) (envelope-from naddy@lorvorc.mips.inka.de) Received: (from naddy@localhost) by lorvorc.mips.inka.de (8.18.1/8.18.1/Submit) id 48QMPaLb026075; Fri, 27 Sep 2024 00:25:36 +0200 (CEST) (envelope-from naddy) Date: Fri, 27 Sep 2024 00:25:36 +0200 From: Christian Weisgerber To: Colin Percival Cc: Xin LI , Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , Shawn Webb , freebsd-arch@freebsd.org, Li-Wen Hsu , Ronald Klop Subject: Re: Deprecating RSA ssh host keys in 16 Message-ID: References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> <0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@email.amazonses.com> <868qvfy7bt.fsf@ltc.des.dev> <010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@email.amazonses.com> List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@email.amazonses.com> X-Spamd-Result: default: False [-3.06 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.998]; NEURAL_HAM_SHORT(-0.76)[-0.758]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; FREEMAIL_CC(0.00)[gmail.com,freebsd.org,hardenedbsd.org]; ARC_NA(0.00)[]; ASN(0.00)[asn:202113, ipnet:2a04:c9c7::/32, country:DE]; MIME_TRACE(0.00)[0:+]; FREEFALL_USER(0.00)[naddy]; TO_DN_SOME(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_SEVEN(0.00)[7]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DMARC_NA(0.00)[inka.de]; RCVD_TLS_LAST(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; MISSING_XM_UA(0.00)[] X-Rspamd-Queue-Id: 4XF7Zt5S8bz4QD2 X-Spamd-Bar: --- Colin Percival: > DSA host key generation was disabled in af8ee1391d08c (August 2016). If you > have DSA host keys I think they will get used, but we don't generate them by > default now. And that's going away, too. Starting with OpenSSH 9.8, DSA support is no longer compiled in by default, and "removing DSA support entirely is planned for the first OpenSSH release of 2025". -- Christian "naddy" Weisgerber naddy@mips.inka.de From nobody Fri Sep 27 05:18:44 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XFJfF4qdxz5XWhM for ; Fri, 27 Sep 2024 05:18:45 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XFJfF2j9Tz44LV for ; Fri, 27 Sep 2024 05:18:45 +0000 (UTC) (envelope-from kevans@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727414325; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VlXD4J7ygZx6Jzdq8GZFOtxmXaQojNloJSlvhxyB3C0=; b=TtbnrUoPovtEMj+a1wOjhjmAJZPchavfSfFDHGEs6F43XDuI5rUdvHoN8GGkB+R+nTeq35 fXHWPP9v54lfTu0UBBfTVzYZfLWzRhII0N8bsj5Cm09qM4awO4EWVqjkdHi8H6AsqlcTPc i3KUmQpnKwPCdA669NN5+Nch5pJFURO1on1By/Vmd/RuOPxv4tR3OTnQpi43JzbJwKRXx9 jDcdfz8i3QRunrEGLX3+0UtGmCYLg2aQbJsHJxMrO3YHsYDRR3l0XDRuuv0TF8rt3x2B4K YmbG/poL1FDk2DkjCpUSr18v6Sl8cCk55dgjlTk3sYwh6cbqtgRjZb4MS7Z6Vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727414325; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VlXD4J7ygZx6Jzdq8GZFOtxmXaQojNloJSlvhxyB3C0=; b=Mb80cLHaJVsd9xVVN6SLt5zauvjF57JXwmMEBvVN2yBN5/AJ7I0HZWvXylttQlmwAt4aWi TrqDSMyQaFKJEP2vqqR+3GUHaD/oh/OzM+SjbHmSvg0NQNxrlxvXLTheN2j+Nm/Nk1FV/l pdZeef7UYSJn0yPA5bEylwrf53F5eg/QVyInMb5UQcastXpRGvHPV0savJRMAXM/fY6cNI K6+nnSVsv0v70UQGCJq2Kq/fzswKc0uJyMXfUJVGSHtZLHaWZcEEizJtxwp9URUqHHvmHd 9y15Slwd03BoHwNLqrQI9uhYPyZmI+K2IHnOZk5no7UepFfP33CXvFaQh7ZACQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1727414325; a=rsa-sha256; cv=none; b=oLR6QgJDGoDBgb4m8+XTbwhh1bRXAX+HV7r9mqI7UlZ5ZVe4OC1pv2b6Da4q0L+ym0ToFg V0eeZqVNbFWO2QCfZLG6ppVVohBAWHpvPyzl/j8W+uqKm9vfWVzlTZu0gmDSNo+H5Yp5U6 /v6fFS6wrMzLWtmA5FmTRXlse3OT0NuY9WxHekMkNw+NGdTNz01QLAaehVq4ftdb690kMf llBcLkw+E4F1Y1G00JiCiUJlMQP6W/0TxNDGyN3IUbLbL9QQKkiHAgjs04yWVA3pfi+4ey oegPdPXREv2zaya3cRN37Myi3xwV8I09j6tCmfCR7JQuJ+iR3JMb76NfTpmw/A== Received: from [10.9.4.95] (unknown [209.182.120.176]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: kevans/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4XFJfF14GTzdlZ for ; Fri, 27 Sep 2024 05:18:45 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Message-ID: <431aac14-daa0-40eb-9399-8a491b941ab5@FreeBSD.org> Date: Fri, 27 Sep 2024 00:18:44 -0500 List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: freebsd-arch@freebsd.org From: Kyle Evans Subject: porch(1) tty tests Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hello! Back in January, I sent some mail[0] about using a tool I wrote, orch(1), for some tty testing. It's since been renamed porch(1), but I now have some reviews open for this: - https://reviews.freebsd.org/D46805 (mk: add PLAIN_TESTS_PORCH support) - https://reviews.freebsd.org/D46806 (tests: kern: add some porch(1)-based tty tests) PLAIN_TESTS_PORCH is useful so that we don't need to screw up or repeat the required_programs metadata to make sure the test is skipped if porch(1) isn't installed. The only tests currently using it are the tty tests that I wrote around canonicalization behavior, but we have other interactive programs in base that could benefit as well. I've only added #tests for now, but please feel free to add yourself to the reviews if you're at all interested in tty testing, interactive program testing, or even just interactive program orchestration in general. Thanks, Kyle Evans [0] https://lists.freebsd.org/archives/freebsd-arch/2024-January/000581.html From nobody Fri Sep 27 17:21:30 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XFchS52vPz5YDbv for ; Fri, 27 Sep 2024 17:21:44 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io1-f50.google.com (mail-io1-f50.google.com [209.85.166.50]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XFchR6Rddz49Rq; Fri, 27 Sep 2024 17:21:43 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.50 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none) Received: by mail-io1-f50.google.com with SMTP id ca18e2360f4ac-82aa3f65864so104449739f.2; Fri, 27 Sep 2024 10:21:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727457702; x=1728062502; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lOgyg+7QPD1ALXhmrk7+vfM5uvuJ6ky4gR0IHSJ/Gdw=; b=SLobAdmmEX1OsG3Nhsy9j/CllPDFl1euNl0r/qbGAnKby/qqPQOdDjZSOPqH1vyqzh HNzgQHzrW75EFjh0vBhK5MUkhkUKmcC++1h+p6vJ/Cwbznl2vAp3QeHpRD5IyRf5aST+ I6WLNbRrnFUIyRQU4hG4r7zXgdLxnXDMJutQhGV7Cp7jD2kTlC2s7opc+dB1UBnVe1GZ 80byEwUmrbXSSQKFG735azYZv6a5qWuqZLCnscayc+Qo7yIfow7NjF60gffhGbVrDxht Dk/Od2f7xwu1Bc1UDCQkOnBgdyQyLdxVDpMe/nHKgRWX5njFiFlStc06jlHrkSvaMlC9 ZjPQ== X-Forwarded-Encrypted: i=1; AJvYcCUIVX984LT2Eu21ozm8mj9KhvApEnxvo33m8cvVxwaB2GTtE2bdNK+PjIDA+xftbt0qVQ3lpg==@freebsd.org, AJvYcCUMx01FonpptjvAtuVn2DK1nZ4S7rwkaIhvYJYaHi+qP6gfHFSsxzO8lodAkdr+dRugxSzZO2sc@freebsd.org X-Gm-Message-State: AOJu0Yzben3dH/HZTKwZGMEs3q5eRCcgPX2ZjhwdoDfftEhVhRdObvF1 xxtRkuokGq/a/T2wGYu8TwWgt/Lto31uLUePy2Q/bX2YO1qYGtIwMpp8VUCCkrXswnRLhEJZVn7 06J29m0c+mXCmtN2qV7AQRa4Rd12hVQ== X-Google-Smtp-Source: AGHT+IFc2eckQ3Vl9FJ11GhXfNIyUXfmGANzLxdaqwSz2IwMcn7mJEWSU9LZwcpepzU/AwoAH+KSxLLuuKyr2HOXT+M= X-Received: by 2002:a05:6602:6a8c:b0:831:fe52:c602 with SMTP id ca18e2360f4ac-8349327138amr387646239f.15.1727457702451; Fri, 27 Sep 2024 10:21:42 -0700 (PDT) List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@FreeBSD.org MIME-Version: 1.0 References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> In-Reply-To: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> From: Ed Maste Date: Fri, 27 Sep 2024 13:21:30 -0400 Message-ID: Subject: Re: Deprecating RSA ssh host keys in 16 To: Colin Percival Cc: freebsd-arch@freebsd.org, Li-Wen Hsu , Ronald Klop Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-1.84 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; MIME_GOOD(-0.10)[text/plain]; DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none]; NEURAL_SPAM_SHORT(0.06)[0.064]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FREEFALL_USER(0.00)[carpeddiem]; RCVD_COUNT_ONE(0.00)[1]; TO_DN_SOME(0.00)[]; R_DKIM_NA(0.00)[]; MISSING_XM_UA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.50:from]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.50:from]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org]; RCPT_COUNT_THREE(0.00)[4] X-Rspamd-Queue-Id: 4XFchR6Rddz49Rq X-Spamd-Bar: - On Tue, 24 Sept 2024 at 14:41, Colin Percival wrote: > > I don't think we should turn off RSA host key generation in general in > 15.x since for non-VM/cloud images the first boot time is less relevant > (if you're installing from an ISO image, the installer will take far > longer than the host key generation) but I think it would make sense to > deprecate RSA host keys in 15 and then turn them off by default in 16. This might be overly conservative, and users who need RSA host keys can trivially enable them. I'm also not fond of having different behaviour in a cloud environment vs when using the installer -- imagine a user with an old ssh client that has trouble connecting to FreeBSD servers, but only those hosted on EC2. From nobody Fri Sep 27 17:43:52 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XFdB16PWwz5YGG3 for ; Fri, 27 Sep 2024 17:43:53 +0000 (UTC) (envelope-from 010001923494fd90-dcf3767e-62c7-416e-9153-dbf096157fb0-000000@amazonses.com) Received: from a8-176.smtp-out.amazonses.com (a8-176.smtp-out.amazonses.com [54.240.8.176]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4XFdB13ZFNz4G5l for ; Fri, 27 Sep 2024 17:43:53 +0000 (UTC) (envelope-from 010001923494fd90-dcf3767e-62c7-416e-9153-dbf096157fb0-000000@amazonses.com) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=dqtolf56kk3wpt62c3jnwboqvr7iedax; d=tarsnap.com; t=1727459032; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding; bh=3cgcz5q1P2ZrjffrApNpFto7GmnvchfCTBODTSOkJgg=; b=D48e/+/66WQkXi2iELd/risuNgWP2rQFSEZv8QKAbP66u8TA702RiZhiR8EZft3g gy1YFdivni4FDl1uJ4DKUo8cYVq2eTvehE+ZbHlreVnIKvH8yFZLgycsmUSeOiUMZGo Hibke8uu5QEHNjVWbvWdfHCyA/4IkBKYV/z8gEn4= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1727459032; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=3cgcz5q1P2ZrjffrApNpFto7GmnvchfCTBODTSOkJgg=; b=BzhvKFXCqX98xEbPL4I8p8joHHStsv6q+iqknDWaXb0B3M0J/qIZ2AgXdN9BacnK RtZD9DhlXNBiFyBGynNnTSev+LamOt/AZPfK2nwth7mt+3R/p1sIQzLmZ7UdbZwybFb ZkaZbyHsVCrGn7IEnDRNucf9r67+1Sg6eXh3YwZM= Message-ID: <010001923494fd90-dcf3767e-62c7-416e-9153-dbf096157fb0-000000@email.amazonses.com> Date: Fri, 27 Sep 2024 17:43:52 +0000 List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Deprecating RSA ssh host keys in 16 To: Ed Maste Cc: freebsd-arch@freebsd.org, Li-Wen Hsu , Ronald Klop References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> Content-Language: en-US From: Colin Percival Autocrypt: addr=cperciva@tarsnap.com; keydata= xsFNBGWMSrYBEACdWRqDn3B3SKO7IG0/fGHYtfs26f3Q5QeAcasy1fQLniwGQWn5rlILhbCD K/jdNoDm5Zxq20eqyffoDNObCjnHgg4tGANdi+RmDy+7CDpE789H8dss9y7Pt5DlGGAXQQnt hxush3EYS/Ctprd9UUL/lzOOLOU1aNtzB84tNrJBtcJmL7OYHfyTSNFxvedqJrrasejIQOLI t/DQ89BPzz+vsKHz7FJPXh3fsVkzLA00DJYcfkgxyABfJNA7U6yMwd4DVSdx/SsvfIDMVXnu UXCXswo106WPZbYGlZPpq0wW6iibtTerJix+8AeuwXvl9O1p8yESK4ErkIxCnmghTSz+pdzj z/6xBRkdDM9VdZ0r+CzsaNXMpDOzFuKyjaiYBdgCLljbDnXIHFcqXenrZ7Xwkm09g/M4uVSh pIUG2RYa6tsHSQoGCp3f2RZv1znfViKQFbbL83QjtPA20AhseZSYbHp1FPhXyy9J0wkGL16L e99g6gdGeIRE82BZjBjKGDkoyDPq+oDRSFl8NtzmIKy+cfz00nViqcTF4bREXEawFGhlpO0X O9q8mijI9iFB6zaPBiSdJGBL5ML5qLTNCl8Zlf4m1TBvmRTqF/lzMHVXHidDoUhpSh/y3AFZ 1KrYc27ztJQywDJPJPWPbtY8YhFLFs377gfP8WldsZjzp8nvoQARAQABzSVDb2xpbiBQZXJj aXZhbCA8Y3BlcmNpdmFAdGFyc25hcC5jb20+wsGRBBMBCAA7FiEEglY7hNBiDtwN+4ZBOJfy 4i5lrT8FAmWMSyYCGwMICwkNCAwHCwMFFQoJCAsFFgMCAQACHgUCF4AACgkQOJfy4i5lrT+i Yg/+PYyJNoFuygtV5t/skcjYmvEC93mnazEvh+x99vGYZnGKeJ8NDOF4QCUzeHquOWxDi8Zl reXyswKcrIquPxxX6+YyGe97VbvLnez3ksfzOYRj1F4qV0Rq8ZNK51+bvIrbcS3SfDaRioAk D7WWwFor8y/hSwxYkfsKbtP5PRcem20JUxuC085zqWLaKv5t5n2CBzAGMjwJaQ3tM3AXVwWJ uJaHA6ot/6fntJlmkfcyCYyyr0D6b0guRj3STbZ2hNn5o2AI+f6LJJ31s2sPFjl6rs7fORf3 hFSNOHDd2HxfVBXFdQy24ROkC4orBBz2xh9GScjxxT/hbXkfufkubFubw7n0HkvHzA3UF+Qq A8JiI3n+d7ocsP0/5BQ2sZdeqPGJgHx6RkAMuW1tJ29wSvCN1qMgFwhYkpQdfvHlociQrimU fvlRfSrBEe8o7tvIuEdpvwvCZSTJqQbVoMw8UHFE7nzyCXUSab5h6PbjakCqim13ekVO2KFF TTPcz5o5jEeUY75tzbIwcDfFbT5KqNjWy06TVdM9VEJDHSfOfxHR3kSEwZ+tT2aTvL3grsUn gFwSNcj4Cl4CRFfUw8zVZY+7O7RiMlhBqykikvUurrdGKc1Scwa0yuppdA6eVvylyTWSQGrQ +uLWtV1LUKN7ZqKJWBkLPt9nS4XZWGyBvxOHYqjOwU0EZYxKtgEQANYfgbtUMVnhjxDHhWLp g5kLHK3YW0TfJKzpXqDB7NiqxHofn4OcbZnVC3MKggcbs9o1/UtsjnlsG8550PfiYkDXvPiO RJwgbGs6MGIDK797C6cnBLQ8xwBa9SL4cl5iQFnhWmt6vwnJ+an/cm5JpYves3wL7jV09qU9 57hkHXEUcl38r4FssZzVcLKPUVTa3Un+QGRTGDGe/f4ctjMaqv0ZCM+l2ixPhf/vqESrfSLv V/+T3dmtUfXjazO3SABvsHwxgGuTTYOlKoPCaebr+BRdqm0xeIShoIlhvTI8y4clchqx/Uxg UG5X2kvU13k3DS3Q8uLE4Et9x1CcZT6WGgBZSR6R0WfD0SDnzufNnRWJ0dEPA2MtJHE7+85R Vi9j/IgZV+y5Ur+bnPkjDG1s2SVciX5v9HQ0oilcBhvx0j5lGE9hhurD9F+fCvkr4KdbCknE 6Y8ce8pCNBUoB/DqibJivOzTk9K9MGB5x0De5TerIrFiaw3/mQC9nGeO9dtE7wvDJetWeoTq 4BEaCzpufNqbkpOaTQILr4V6Gp7M6v97g83TVAwZntz/q8ptwuKQPZ2JaSFLZn7oWUpYXA5s +SIODFHLn6iMoYpBQskHQjnj4lEPJadl4qj+ZKA89iDAKsniyoFXsbJe2CPbMS1yzBxKZq6K D/jpt7BOnuHr/JrXABEBAAHCwXYEGAEIACAWIQSCVjuE0GIO3A37hkE4l/LiLmWtPwUCZYxK tgIbDAAKCRA4l/LiLmWtP3jmEACQrh9gWe8F1Tkw3m6VoHKwLc5he4tX3WpQa//soPO6iGG3 S3WPruQ46NrAaAojoOcKI9UONDO5rxG0ZTX53S+lu2EO47jbcLwOCjaEpjKpDRt9ZXBQE8Xl mtBE9Bp3W9gpjB1nE3KNM1mJYgsK0QdRpwwfh4pVgGpOj8j23I6MCK+v99zEBnpgCn2GX8W/ kctRXHqWwndHysOJtRP/zrl7dDaABF1f9efUl0LL3TD3GJ9VDz+DNOin/uK2a1hiJo8QzTRk PpfUQ2ebzDsrd1i/pOWkMSkdH+rEu4AGrXWtaBwrMyrGkL6Icb6yO+P9/z0W2wlgBf3P1YRt JPgQt/Dj3yvA/UnaV/QmuVQPjl13o24UnJGsZM8XGnNdfWBKkC1Q6VXC4QT+dyBHYH9MuE9d 6oGl8pFM1+cTfEfbM62/rRoPkF1yHMsI/903VxEvuUIKfhEZAVLFyHldooNxuchntHQP9y8J 8Ou9bWYQP7MnEn+kwSwrZkjurfPkan+xQvp6dDYnj3V0GwA5pprBMaB928VIDVOv+1PNQI3t Cvk5VPv/skq+TJRMHW7bFSt8PRa91cUf1FOLIz9APDiJOzXkwxUEHGV3zPSaUhs1JYjyBeGT wDAvtLUdjOnRhEUOwlnIrztmvyciutjJoVzKEEjj5WXnHk9L9kQ1bpAjkjTONw== In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Feedback-ID: ::1.us-east-1.Lv9FVjaNvvR5llaqfLoOVbo2VxOELl7cjN0AOyXnPlk=:AmazonSES X-SES-Outgoing: 2024.09.27-54.240.8.176 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:14618, ipnet:54.240.8.0/21, country:US] X-Rspamd-Queue-Id: 4XFdB13ZFNz4G5l X-Spamd-Bar: ---- On 9/27/24 10:21, Ed Maste wrote: > On Tue, 24 Sept 2024 at 14:41, Colin Percival wrote: >> I don't think we should turn off RSA host key generation in general in >> 15.x since for non-VM/cloud images the first boot time is less relevant >> (if you're installing from an ISO image, the installer will take far >> longer than the host key generation) but I think it would make sense to >> deprecate RSA host keys in 15 and then turn them off by default in 16. > > This might be overly conservative, and users who need RSA host keys > can trivially enable them. > > I'm also not fond of having different behaviour in a cloud environment > vs when using the installer -- imagine a user with an old ssh client > that has trouble connecting to FreeBSD servers, but only those hosted > on EC2. Wearing my release engineering hat: I don't like making changes like this without warning, and we have a standard policy of "warn in N, gone in N+1" so I figured we should follow that. Wearing my EC2 maintainer hat: *In cloud environments* this is important enough to diverge from normal practice; but the first-boot-key-generation time is not relevant outside of clouds. I agree that maintaining consistency is generally a good thing, but in this case I think there are strong enough arguments on both sides to justify the divergence. -- Colin Percival FreeBSD Release Engineering Lead & EC2 platform maintainer Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid