From owner-freebsd-security@FreeBSD.ORG Mon Jun 25 02:10:34 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 21FD0106564A for ; Mon, 25 Jun 2012 02:10:34 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id C659F8FC19 for ; Mon, 25 Jun 2012 02:10:33 +0000 (UTC) Received: by vcbfy7 with SMTP id fy7so2152297vcb.13 for ; Sun, 24 Jun 2012 19:10:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Em1NhXcc+wBakT4NjbZsRtYh18BqnMji+oI2YRPYNp0=; b=c3ZzgXzK43AijvnaRclS+GnF5XSjBi2n7oF+XaqtVziAEn61THLeCPDToG9P5Ic58m CUlRyTUaAuyeBWzr5UPMPgsdK+68N7VdgmNQyrblf/n1txU2bLREo881U8sJutibR/OV Takjr/9Q6qPo3slmGvrYZnpObQQme5362n5PoQhksNqnfHEam212spl+7AOkWQHVH0gS Rl7wPVRqpvgYJ2YxuEqZ8AUWhhxizwbM63b0rtl2B7OtYcP+5FLludwC7DI6zBdkYBts zQQyg+DUIz2csDS0/ws5m8eMvu13YS/EQf2voTlySqSQ84sK43fa91XXpIzusZ7rXxgB hanA== MIME-Version: 1.0 Received: by 10.52.24.49 with SMTP id r17mr3677412vdf.71.1340590233262; Sun, 24 Jun 2012 19:10:33 -0700 (PDT) Received: by 10.52.16.148 with HTTP; Sun, 24 Jun 2012 19:10:33 -0700 (PDT) In-Reply-To: <90EAF0C3-C676-4C20-A981-86FC88BAC29D@lists.zabbadoz.net> References: <4828EFCC-E60A-4961-9228-4A1ADAD28F73@lists.zabbadoz.net> <90EAF0C3-C676-4C20-A981-86FC88BAC29D@lists.zabbadoz.net> Date: Sun, 24 Jun 2012 22:10:33 -0400 Message-ID: From: Robert Simmons To: "Bjoern A. Zeeb" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Add rc.conf variables to control host key length X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2012 02:10:34 -0000 On Sun, Jun 24, 2012 at 9:46 PM, Bjoern A. Zeeb wrote: > > On 24. Jun 2012, at 17:14 , Robert Simmons wrote: > >> On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb >> wrote: >>> On 24. Jun 2012, at 16:07 , Robert Simmons wrote: >>>> Here is a set of patches that add functionality to rc.conf allowing >>>> users an easy way to control the length of the host keys used with ssh >>>> (specifically RSA and ECDSA used with protocol version 2). >>> >>> Created for, not used with -- right? >> >> Yes, created for. =A0I have updated the patch to reflect this and >> attached the new patch. =A0Good eye, thanks. >> >>> The used with is controlled in sshd_config and if the key is not there >>> but it's enabled in sshd_config you'll get a warning on boot which is >>> very annoying. >> >> No. =A0Actually, "used with" is not controlled in sshd_config. =A0Only t= he >> path to the key files is controlled by that config. >> The sshd_flags variable in rc.conf is what controls "used with". =A0For >> example, on my installs, I only want to use the ECDSA key and not >> present any other protocol v2 keys to clients, thereby restricting it >> to ECDSA. =A0The only way to go about this is to set the following: >> sshd_flags=3D"-h /etc/ssh/ssh_host_ecdsa_key" >> Take a look at sshd(8), specifically the -h option for clarification. > > Aha, multiple options to accomplish the same thing. > > HostKey /etc/ssh/ssh_host_ecdsa_key > > in sshd_config should accomplish the same, shouldn't it? =A0I'd really > prefer that to a command line option. And vice versa. Let's say you only uncomment the line for RSA keys in sshd_config. Your server will still present the ECDSA key to clients that understand it.