From owner-freebsd-security@FreeBSD.ORG Sun Jun 24 16:07:31 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0FC28106567A for ; Sun, 24 Jun 2012 16:07:31 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id AF4218FC12 for ; Sun, 24 Jun 2012 16:07:30 +0000 (UTC) Received: by vbmv11 with SMTP id v11so1999526vbm.13 for ; Sun, 24 Jun 2012 09:07:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=7wY24wAWOAGu6xupL8AnqXGDHKtfm90HKzYUi7TxoH8=; b=ZynXqCXBuBQ5icDPb6N/sa7W5bTj6xhWXEyUXnF74xbJ3Ocnme+0ErpW7Ts81STPIx LjHU/+0BiR3FNyqxxR1MIf6AuncoA1HLrrfh80tW4jw2cEt2+12wBAIQSNeT1ZoM4V4y QXnJpekfQvpZng+ImT8ZWt11EjhraXYOgyYZExAuj3ulLWMYL3ijqU7z9n5ue+Xz9nEb 9MOhFUVDgtnhh+2SxTbjhxYQpzpAIIgYUIp48caqgsD7FUPLPRIwPcfqXppUBocBedSf s89tJWtVNrWXdYmi/hrPs3+7ch6jI7LIlztaXlpHYbMgqeCublwMRrEurji2KovQddze SzpQ== MIME-Version: 1.0 Received: by 10.220.242.6 with SMTP id lg6mr5777733vcb.18.1340554044622; Sun, 24 Jun 2012 09:07:24 -0700 (PDT) Received: by 10.52.16.148 with HTTP; Sun, 24 Jun 2012 09:07:24 -0700 (PDT) Date: Sun, 24 Jun 2012 12:07:24 -0400 Message-ID: From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: multipart/mixed; boundary=14dae9ccd488a1c86204c33a0f0d Subject: Add rc.conf variables to control host key length X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jun 2012 16:07:31 -0000 --14dae9ccd488a1c86204c33a0f0d Content-Type: text/plain; charset=ISO-8859-1 Here is a set of patches that add functionality to rc.conf allowing users an easy way to control the length of the host keys used with ssh (specifically RSA and ECDSA used with protocol version 2). I would like to also discuss the merits of changing FreeBSD's default behavior to using 4096 bit RSA keys and 521 bit ECDSA keys. I have refrained from changing FreeBSD's default behavior in these patches and stuck to just adding configurability. Please let me know if you see any problems with these patches. --14dae9ccd488a1c86204c33a0f0d Content-Type: application/octet-stream; name="rc.conf.5.diff" Content-Disposition: attachment; filename="rc.conf.5.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: f_h3ub8vsg0 LS0tIHNyYy9zaGFyZS9tYW4vbWFuNS9yYy5jb25mLjUub2xkCTIwMTItMDYtMjQgMTE6MjY6MzAu MzY3MzYxOTY5IC0wNDAwCisrKyBzcmMvc2hhcmUvbWFuL21hbjUvcmMuY29uZi41CTIwMTItMDYt MjQgMTE6NDk6NTAuNDExMzM0NDc5IC0wNDAwCkBAIC0zNjY0LDYgKzM2NjQsMzIgQEAKIHRoZXNl IGFyZSB0aGUgZmxhZ3MgdG8gcGFzcyB0byB0aGUKIC5YciBzc2hkIDgKIGRhZW1vbi4KKy5JdCBW YSByc2Ffa2V5c2l6ZV9mbGFnCisuUHEgVnQgc3RyCitJZgorLlZhIHNzaGRfZW5hYmxlCitpcyBz ZXQgdG8KKy5EcSBMaSBZRVMgLAordGhpcyBpcyB0aGUgZmxhZyB0byBwYXNzIHRvCisuWHIgc3No LWtleWdlbiAxCit0aGF0IHNwZWNpZmllcyB0aGUgbnVtYmVyIG9mIGJpdHMgdG8gY3JlYXRlIGlu IHRoZSBSU0EgaG9zdCBrZXkgdXNlZCB3aXRoIHNzaAorcHJvdG9jb2wgdmVyc2lvbiAyLgorVGhl IG1pbmltdW0gc2l6ZSBpcyA3NjggYml0cywgYW5kIHRoZSBkZWZhdWx0IGlzIDIwNDggYml0cy4K K0dlbmVyYWxseSwgMjA0OCBiaXRzIGlzIGNvbnNpZGVyZWQgc3VmZmljaWVudCwgYnV0IHRoZSBt YXhpbXVtIGlzIDQwOTYgYml0cy4KK0xlYXZpbmcgdGhpcyBlbXB0eSB3aWxsIHNldCB0aGUgc2l6 ZSB0byBkZWZhdWx0LgorLkl0IFZhIGVjZHNhX2tleXNpemVfZmxhZworLlBxIFZ0IHN0cgorSWYK Ky5WYSBzc2hkX2VuYWJsZQoraXMgc2V0IHRvCisuRHEgTGkgWUVTICwKK3RoaXMgaXMgdGhlIGZs YWcgdG8gcGFzcyB0bworLlhyIHNzaC1rZXlnZW4gMQordGhhdCBkZXRlcm1pbmVzIHRoZSBrZXkg bGVuZ3RoIGJ5IHNlbGVjdGluZyBmcm9tIG9uZSBvZiB0aHJlZSBlbGxpcHRpYyBjdXJ2ZQorc2l6 ZXMgdXNlZCB0byBnZW5lcmF0ZSB0aGUgRUNEU0Ega2V5IHVzZWQgd2l0aCBzc2ggcHJvdG9jb2wg dmVyc2lvbiAyLgorVGhlIHRocmVlIGNob2ljZXMgYXJlIDI1NiwgMzg0LCBhbmQgNTIxIGJpdHMg d2l0aCAyNTYgYml0cyBiZWluZyB0aGUgZGVmYXVsdC4KK0F0dGVtcHRpbmcgdG8gdXNlIGJpdCBs ZW5ndGhzIG90aGVyIHRoYW4gdGhlc2UgdGhyZWUgdmFsdWVzIHdpbGwgZmFpbC4KK0xlYXZpbmcg dGhpcyBlbXB0eSB3aWxsIHNldCB0aGUgc2l6ZSB0byBkZWZhdWx0LgogLkl0IFZhIGZ0cGRfcHJv Z3JhbQogLlBxIFZ0IHN0cgogUGF0aCB0byB0aGUgRlRQIHNlcnZlciBwcm9ncmFtCg== --14dae9ccd488a1c86204c33a0f0d Content-Type: application/octet-stream; name="rc.conf.diff" Content-Disposition: attachment; filename="rc.conf.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: f_h3ub90xm1 LS0tIHNyYy9ldGMvZGVmYXVsdHMvcmMuY29uZi5vbGQJMjAxMi0wNi0yNCAxMToxNzozMy4wOTUz NzI1MTggLTA0MDAKKysrIHNyYy9ldGMvZGVmYXVsdHMvcmMuY29uZgkyMDEyLTA2LTI0IDExOjUz OjQ3LjI4MzMyOTgzMCAtMDQwMApAQCAtMzE2LDYgKzMxNiw4IEBACiBzc2hkX2VuYWJsZT0iTk8i CQkjIEVuYWJsZSBzc2hkCiBzc2hkX3Byb2dyYW09Ii91c3Ivc2Jpbi9zc2hkIgkjIHBhdGggdG8g c3NoZCwgaWYgeW91IHdhbnQgYSBkaWZmZXJlbnQgb25lLgogc3NoZF9mbGFncz0iIgkJCSMgQWRk aXRpb25hbCBmbGFncyBmb3Igc3NoZC4KK3JzYV9rZXlzaXplX2ZsYWc9IiIJCSMga2V5c2l6ZSBm bGFnIGZvciBzc2gta2V5Z2VuLCB2MiBSU0Ega2V5cworZWNkc2Ffa2V5c2l6ZV9mbGFnPSIiCQkj IGtleXNpemUgZmxhZyBmb3Igc3NoLWtleWdlbiwgdjIgRUNEU0Ega2V5cwogZnRwZF9lbmFibGU9 Ik5PIgkJIyBFbmFibGUgc3RhbmQtYWxvbmUgZnRwZC4KIGZ0cGRfcHJvZ3JhbT0iL3Vzci9saWJl eGVjL2Z0cGQiICMgUGF0aCB0byBmdHBkLCBpZiB5b3Ugd2FudCBhIGRpZmZlcmVudCBvbmUuCiBm dHBkX2ZsYWdzPSIiCQkJIyBBZGRpdGlvbmFsIGZsYWdzIHRvIHN0YW5kLWFsb25lIGZ0cGQuCg== --14dae9ccd488a1c86204c33a0f0d Content-Type: application/octet-stream; name="sshd.diff" Content-Disposition: attachment; filename="sshd.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: f_h3ub95ef2 LS0tIHNyYy9ldGMvcmMuZC9zc2hkLm9sZAkyMDEyLTA2LTI0IDExOjU0OjUxLjIzNTMyODU3NCAt MDQwMAorKysgc3JjL2V0Yy9yYy5kL3NzaGQJMjAxMi0wNi0yNCAxMTo1Njo0OS44MzUzMjYyNDUg LTA0MDAKQEAgLTc0LDcgKzc0LDggQEAKIAkJICAgICJpbiAvZXRjL3NzaC9zc2hfaG9zdF9yc2Ff a2V5IgogCQllY2hvICJTa2lwcGluZyBwcm90b2NvbCB2ZXJzaW9uIDIgUlNBIEtleSBHZW5lcmF0 aW9uIgogCWVsc2UKLQkJL3Vzci9iaW4vc3NoLWtleWdlbiAtdCByc2EgLWYgL2V0Yy9zc2gvc3No X2hvc3RfcnNhX2tleSAtTiAnJworCQkvdXNyL2Jpbi9zc2gta2V5Z2VuICR7cnNhX2tleXNpemVf ZmxhZ30gLXQgcnNhIFwKKwkJICAgIC1mIC9ldGMvc3NoL3NzaF9ob3N0X3JzYV9rZXkgLU4gJycK IAlmaQogCiAJaWYgWyAtZiAvZXRjL3NzaC9zc2hfaG9zdF9lY2RzYV9rZXkgXTsgdGhlbgpAQCAt ODIsNyArODMsOCBAQAogCQkgICAgImluIC9ldGMvc3NoL3NzaF9ob3N0X2VjZHNhX2tleSIKIAkJ ZWNobyAiU2tpcHBpbmcgcHJvdG9jb2wgdmVyc2lvbiAyIEVDRFNBIEtleSBHZW5lcmF0aW9uIgog CWVsc2UKLQkJL3Vzci9iaW4vc3NoLWtleWdlbiAtdCBlY2RzYSAtZiAvZXRjL3NzaC9zc2hfaG9z dF9lY2RzYV9rZXkgLU4gJycKKwkJL3Vzci9iaW4vc3NoLWtleWdlbiAke2VjZHNhX2tleXNpemVf ZmxhZ30gLXQgZWNkc2EgXAorCQkgICAgLWYgL2V0Yy9zc2gvc3NoX2hvc3RfZWNkc2Ffa2V5IC1O ICcnCiAJZmkKIAkpCiB9Cg== --14dae9ccd488a1c86204c33a0f0d--