From owner-freebsd-security@FreeBSD.ORG Mon Jun 25 16:14:51 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 062CD1065675 for ; Mon, 25 Jun 2012 16:14:51 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-gh0-f182.google.com (mail-gh0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 9CA988FC2A for ; Mon, 25 Jun 2012 16:14:50 +0000 (UTC) Received: by ghbz22 with SMTP id z22so3487910ghb.13 for ; Mon, 25 Jun 2012 09:14:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to; bh=Fb4bpzfz3AufkByltSrQTAmQDJDwX8Bc/DRrlamqS5o=; b=Iae3tKWx2rax4obzfnlbKCUOyntbR/8jbsuflnN3xUeOghteQ4ZhKf4NoaOKIbCVKr nvoMcS1NbQpTeqDTi0VYf7QqNlLyJMrZGGi+V67Jj2bPFXUa8CZ9s+W3btK4/E2ctd1O 29w6M5KHXO9I/AVFPStEa7tP9Fdk7dXu1wFwU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to:x-gm-message-state; bh=Fb4bpzfz3AufkByltSrQTAmQDJDwX8Bc/DRrlamqS5o=; b=BKvyox4FwmEwWpr5+ZN4Ub9ysrJXf+6dbSyrAe7JCpK6Q/X7X52EVNkT3PgP6oV/0U z197U7H7tCZ0rcCOtx/SetmBuofj3dNP+OdDVh+i9/etgQmXx7GPOoEGUXR7gdw7cfwT T6rG5oG5FB1Q0npfbG5zmzeIjeeo5KYl4U2fzJQgmPJtX9hxeSZ1Qe+lc2uzsP5I9hzo ioNJ/ZltBUXmNFgohbbtQ3V87dBcOa/bBIdTi5MavfS2LKR/ZEMx0AtRiJUYDQE5hm0l joBSiIRipuL68rdQaaRhYwah1XkOZgKnOX+lUg09gA8OsoMMwwGW2bq+Xp7bWSZEimWS vySA== Received: by 10.50.160.234 with SMTP id xn10mr8597874igb.61.1340640889572; Mon, 25 Jun 2012 09:14:49 -0700 (PDT) Received: from DataIX.net (75-128-120-86.dhcp.aldl.mi.charter.com. [75.128.120.86]) by mx.google.com with ESMTPS id y5sm17164512igb.11.2012.06.25.09.14.48 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 25 Jun 2012 09:14:49 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q5PGEkZZ086636 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 25 Jun 2012 12:14:46 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q5PGEj2Z086635; Mon, 25 Jun 2012 12:14:45 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Mon, 25 Jun 2012 12:14:45 -0400 From: "J. Hellenthal" To: Robert Simmons Message-ID: <20120625161445.GB85086@DataIX.net> References: <4828EFCC-E60A-4961-9228-4A1ADAD28F73@lists.zabbadoz.net> <90EAF0C3-C676-4C20-A981-86FC88BAC29D@lists.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Gm-Message-State: ALoCoQlvyPrRr9VaQsWelcJvB5LM6AdcKPVdCCBFMUpW38beP4vu5uiCiRyN7YLP9vhv9VQ/t0OI Cc: "Bjoern A. Zeeb" , freebsd-security@freebsd.org Subject: Re: Add rc.conf variables to control host key length X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2012 16:14:51 -0000 On Sun, Jun 24, 2012 at 10:10:33PM -0400, Robert Simmons wrote: > On Sun, Jun 24, 2012 at 9:46 PM, Bjoern A. Zeeb > wrote: > > > > On 24. Jun 2012, at 17:14 , Robert Simmons wrote: > > > >> On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb > >> wrote: > >>> On 24. Jun 2012, at 16:07 , Robert Simmons wrote: > >>>> Here is a set of patches that add functionality to rc.conf allowing > >>>> users an easy way to control the length of the host keys used with ssh > >>>> (specifically RSA and ECDSA used with protocol version 2). > >>> > >>> Created for, not used with -- right? > >> > >> Yes, created for.  I have updated the patch to reflect this and > >> attached the new patch.  Good eye, thanks. > >> > >>> The used with is controlled in sshd_config and if the key is not there > >>> but it's enabled in sshd_config you'll get a warning on boot which is > >>> very annoying. > >> > >> No.  Actually, "used with" is not controlled in sshd_config.  Only the > >> path to the key files is controlled by that config. > >> The sshd_flags variable in rc.conf is what controls "used with".  For > >> example, on my installs, I only want to use the ECDSA key and not > >> present any other protocol v2 keys to clients, thereby restricting it > >> to ECDSA.  The only way to go about this is to set the following: > >> sshd_flags="-h /etc/ssh/ssh_host_ecdsa_key" > >> Take a look at sshd(8), specifically the -h option for clarification. > > > > Aha, multiple options to accomplish the same thing. > > > > HostKey /etc/ssh/ssh_host_ecdsa_key > > > > in sshd_config should accomplish the same, shouldn't it?  I'd really > > prefer that to a command line option. > > And vice versa. Let's say you only uncomment the line for RSA keys in > sshd_config. Your server will still present the ECDSA key to clients > that understand it. Try: HostKey /usr/local/etc/ssh/ssh_host_rsa_key HostKey /dev/null HostKey none -- - (2^(N-1))