Date: Tue, 24 Sep 2024 19:20:11 +0000 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Colin Percival <cperciva@tarsnap.com> Cc: freebsd-arch@freebsd.org, Li-Wen Hsu <lwhsu@freebsd.org>, Ronald Klop <ronald@freebsd.org> Subject: Re: Deprecating RSA ssh host keys in 16 Message-ID: <7ujil5wxcwnmoobmjsmtdvfubmb3eiqcsblut3lwt7ussdxwxq@6qskqqcvfkcu> In-Reply-To: <wzyhp2k7fyvg6qxrkrs32uweiuijpv7f6sjjt2yuonob7py3gj@7f7xdqj72erk> References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> <wzyhp2k7fyvg6qxrkrs32uweiuijpv7f6sjjt2yuonob7py3gj@7f7xdqj72erk>
next in thread | previous in thread | raw e-mail | index | archive | help
--3ilyi4az2clng65x Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 24, 2024 at 07:16:04PM UTC, Shawn Webb wrote: > On Tue, Sep 24, 2024 at 06:41:00PM UTC, Colin Percival wrote: > > Hi all, > >=20 > > Last week I turned off RSA host key generation for SSH in EC2 instances, > > because (a) modern SSH clients support ecdsa and ed25519 keys, and (b) > > generating RSA host keys was taking over 10% of the boot time when EC2 > > instances booted for the first time. > >=20 > > I don't think we should turn off RSA host key generation in general in > > 15.x since for non-VM/cloud images the first boot time is less relevant > > (if you're installing from an ISO image, the installer will take far > > longer than the host key generation) but I think it would make sense to > > deprecate RSA host keys in 15 and then turn them off by default in 16. > >=20 > > I'm not sure if there's any good way to announce the deprecation beyond > > putting it into the release notes; we could print a warning in 15 when > > RSA host keys are generated, but that will always fire regardless of > > whether they're being *used* and I don't think there's any practical way > > to warn specifically when RSA host keys are *used*. So unless I'm > > missing something, the deprecation would just take the form of a few li= nes > > in the release notes. > >=20 > > Thoughts? >=20 > With commit e3f33c64ec168a48038309af0c237eda86d10c74[1], introduced on > 14 Nov 2024, HardenedBSD has disabled the generation of RSA host keys > by default. Whoops, time travel hasn't been invented yet. (Or so we think? ;-P) That would be 14 Nov 2023. >=20 > We haven't seen any reports of any breakage. While the change might be > considered a POLA violation, it seems pretty harmless on today's > 15-CURRENT systems. >=20 > We have a number of 15-CURRENT users, though we don't have any hard > data, and likely pales in comparison to the FreeBSD side--enough so > that the sample is too small to be a significant or reliable data > point. >=20 > I have this commit taged as MFC-able, though I haven't MFC'd just yet. > It completely spaced my mind and I'll likely MFC shortly after sending > this email. >=20 > [1]: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/e3f33c6= 4ec168a48038309af0c237eda86d10c74 >=20 > Thanks, >=20 > --=20 > Shawn Webb > Cofounder / Security Engineer > HardenedBSD >=20 > Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 > https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/0= 3A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --3ilyi4az2clng65x Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmbzEOsACgkQ/y5nonf4 4fqcaw//Xcr5Y3ZNyyJedlpKuL3jUPGg6SW8RlVGm3G5I0iq53wjhGrfXCkhT9Jj Pel3XsX1jzPmHJCHreeYk1W4tBB1mOuKTabRLNaLY00smvZdBPxYQWoK2iIsYko6 otww9tlzDONeA14iMZo2y3I8JkhiLXLsW3zKav1nq6/tSdCebojUsCN46Q8B7cT8 g6S70a70cx2cCBEQXpVa7h45diacfJoUhdBMFsqoITKN0ZUpWEIXT+9gPPHxhmYK CsSvYa7E7ihJ2L1/nkmc0XFd2Kq9csXI1ABAbUPfKPh28PKm6wHFazRZAZn5Bkey moElm69a4/ACPX5Vk8/Scd9yUG3OlnsVxSYjTp13EubzssLi4jw1jMEEATzMPnmK 8C6OxZlPqXFOw7No6hwW2VghjF+wNBcuHZ0qLxxE783SABSWGIwvuaAOh4BDja6r JAZfirgaMH9EzPWcsgyET0ZmmEstxRHZWzFB7/Agebl9AFvLqEpw7GwExFGY/sRu SfmQIbX3690zekq7VXKy0xQboyDEp3Q4BZPo/nPyF0karLx0vbxbHxwtx0l9cD6N fGjTpOSh4EaF9EG26S/CDVNDbd5mGAq4hH7ttApe8BOr0turKborVbBkcOG3XAbw aJp1Ia5PSgRvU1waRF7HFR/aSBBsjxJkF2svDDp7qOKwPPLSg4g= =JaC5 -----END PGP SIGNATURE----- --3ilyi4az2clng65x--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7ujil5wxcwnmoobmjsmtdvfubmb3eiqcsblut3lwt7ussdxwxq>