From owner-freebsd-security@FreeBSD.ORG Mon Jun 25 02:09:09 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9112F1065674 for ; Mon, 25 Jun 2012 02:09:09 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 413B58FC0C for ; Mon, 25 Jun 2012 02:09:09 +0000 (UTC) Received: by vcbfy7 with SMTP id fy7so2151839vcb.13 for ; Sun, 24 Jun 2012 19:09:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=FhWhcrqyzYQaLbMN4qd2KbtHQMZ/N+G7Qon3nPwXyW4=; b=0W0W7SfjlKOQOwMIvgBb8ODH1z8lfFoY/KREaWabbz9GFBrT/VOFDHyYqchCT6RAC0 V2daFtN3ITT3pc0l1FGRoIZuIzEB8FaDJDBWG4YC3xvrChdruUQLhrugoGsI2nB3xyIt hkIFc8R3/FngdRutv7IPClHXhbpXpv0vWs3orWZ6VrWeCIOEVkrkiSQqM9iw3QvX7fN0 3izgnhDUwuFj9tc+dQIlH4xSMJl7S8u0k3P8OGMjC4w6DlWPk6ajL1Lo5C5KqLwVQQ4d WOsRjWIsjVrtZneghCBpBzbR0SwauHNgbZWs+El8u+kEZDaK5yQ4DF1dRhjP50d+/eVs WekA== MIME-Version: 1.0 Received: by 10.52.28.202 with SMTP id d10mr5435475vdh.39.1340590148523; Sun, 24 Jun 2012 19:09:08 -0700 (PDT) Received: by 10.52.16.148 with HTTP; Sun, 24 Jun 2012 19:09:08 -0700 (PDT) In-Reply-To: <90EAF0C3-C676-4C20-A981-86FC88BAC29D@lists.zabbadoz.net> References: <4828EFCC-E60A-4961-9228-4A1ADAD28F73@lists.zabbadoz.net> <90EAF0C3-C676-4C20-A981-86FC88BAC29D@lists.zabbadoz.net> Date: Sun, 24 Jun 2012 22:09:08 -0400 Message-ID: From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Add rc.conf variables to control host key length X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2012 02:09:09 -0000 On Sun, Jun 24, 2012 at 9:46 PM, Bjoern A. Zeeb wrote: > > On 24. Jun 2012, at 17:14 , Robert Simmons wrote: > >> On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb >> wrote: >>> On 24. Jun 2012, at 16:07 , Robert Simmons wrote: >>>> Here is a set of patches that add functionality to rc.conf allowing >>>> users an easy way to control the length of the host keys used with ssh >>>> (specifically RSA and ECDSA used with protocol version 2). >>> >>> Created for, not used with -- right? >> >> Yes, created for. =A0I have updated the patch to reflect this and >> attached the new patch. =A0Good eye, thanks. >> >>> The used with is controlled in sshd_config and if the key is not there >>> but it's enabled in sshd_config you'll get a warning on boot which is >>> very annoying. >> >> No. =A0Actually, "used with" is not controlled in sshd_config. =A0Only t= he >> path to the key files is controlled by that config. >> The sshd_flags variable in rc.conf is what controls "used with". =A0For >> example, on my installs, I only want to use the ECDSA key and not >> present any other protocol v2 keys to clients, thereby restricting it >> to ECDSA. =A0The only way to go about this is to set the following: >> sshd_flags=3D"-h /etc/ssh/ssh_host_ecdsa_key" >> Take a look at sshd(8), specifically the -h option for clarification. > > Aha, multiple options to accomplish the same thing. > > HostKey /etc/ssh/ssh_host_ecdsa_key > > in sshd_config should accomplish the same, shouldn't it? =A0I'd really > prefer that to a command line option. No, you'll find that even with that being the only line uncommented, your server will still present DSA and RSA keys to the clients that can't understand ECDSA. The only way to restrict it is with the sshd flag "-h". Go try it.