From owner-freebsd-security@FreeBSD.ORG Sun Jun 24 16:59:25 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7A5511065679 for ; Sun, 24 Jun 2012 16:59:25 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id 2136C8FC08 for ; Sun, 24 Jun 2012 16:59:25 +0000 (UTC) Received: by yenl8 with SMTP id l8so2769469yen.13 for ; Sun, 24 Jun 2012 09:59:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=ULA5Qr1bNxCdQQmlBvt5sr2YQtR9Kwtq60LeHu5nSJI=; b=aCZenxMypHuS2G3hn0ImI9gljGP5+lqOKgK3/nr8dvZ23Bjs8R9HDkBYEH6ikXBVKY 2cfpM1D1kIwk4L0gml3pC2kPbiwxDwR+nY4Hma9nMA7j/om7x87defImckf2dQlgEnFK 7pVoknbfAFmJ0ndymVhpUbgaWumcENvwr0NtU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-gm-message-state; bh=ULA5Qr1bNxCdQQmlBvt5sr2YQtR9Kwtq60LeHu5nSJI=; b=AaCP07BpDVuM/4AeB7fKpHL8WQJca2fOBiJGV4bZrxa5m7ZK3iqAu8X0ieXoSlN2MR r9Firp8mzVNi2SDBK7h0WtLUD9UoYZX8sdtbAGf65xNZTUL1h6jlwVWpukRSFS1xWFkP 2dAy/ZQjAhPooWTMnxN0udkksdzrUJuAz8ojJ23tIFTDATQ5ywqn50D8jdr11XrJ6ODe EcHVddUucGrq/CkO2HTSW0JS1iquwNcZ9YSo4sNnCLUBzvSZSoX9UCq4vYbQQJ28vum+ Vy4pDg4m8V7aKA6h6/g9DyeMP0DGq4QI3VLg3aIynGxOYbCC4TxZkAqAj/rzirhJ0A2u iHPg== Received: by 10.42.199.5 with SMTP id eq5mr3895513icb.40.1340557164245; Sun, 24 Jun 2012 09:59:24 -0700 (PDT) Received: from DataIX.net (75-128-120-86.dhcp.aldl.mi.charter.com. [75.128.120.86]) by mx.google.com with ESMTPS id k6sm4447306igz.9.2012.06.24.09.59.22 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 24 Jun 2012 09:59:23 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q5OGxLWH007529 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 24 Jun 2012 12:59:21 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q5OGxLWc007528; Sun, 24 Jun 2012 12:59:21 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Sun, 24 Jun 2012 12:59:20 -0400 From: "J. Hellenthal" To: "Bjoern A. Zeeb" Message-ID: <20120624165920.GA85913@DataIX.net> References: <4828EFCC-E60A-4961-9228-4A1ADAD28F73@lists.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4828EFCC-E60A-4961-9228-4A1ADAD28F73@lists.zabbadoz.net> X-Gm-Message-State: ALoCoQnCTVTrcl8zRz5uZVSIC6Ps50p0dFM7RsRDR1JwaZoV5zrD8IxQz60Yw8FfqDcHoUVt1wv2 Cc: freebsd-security@freebsd.org, Robert Simmons Subject: Re: Add rc.conf variables to control host key length X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jun 2012 16:59:25 -0000 On Sun, Jun 24, 2012 at 04:34:04PM +0000, Bjoern A. Zeeb wrote: > > On 24. Jun 2012, at 16:07 , Robert Simmons wrote: > > > Here is a set of patches that add functionality to rc.conf allowing > > users an easy way to control the length of the host keys used with ssh > > (specifically RSA and ECDSA used with protocol version 2). > > Created for, not used with -- right? > > The used with is controlled in sshd_config and if the key is not there > but it's enabled in sshd_config you'll get a warning on boot which is > very annoying. > > > > I would like to also discuss the merits of changing FreeBSD's default > > behavior to using 4096 bit RSA keys and 521 bit ECDSA keys. > > > > I have refrained from changing FreeBSD's default behavior in these > > patches and stuck to just adding configurability. > > Do we differ from what the OpenSSH defaults are? > Defaults being ... 2048 RSA 1024 DSA 256 ECDSA These are more then sufficient for any normal ssh use. -- - (2^(N-1))