Date: Sun, 24 Jun 2012 13:14:02 -0400 From: Robert Simmons <rsimmons0@gmail.com> To: freebsd-security@freebsd.org Subject: Re: Add rc.conf variables to control host key length Message-ID: <CA%2BQLa9DxE5D5ZeQ6M-FQGRySCGytQ=Qn2ZyNMYuCfSLGV1gdQw@mail.gmail.com> In-Reply-To: <4828EFCC-E60A-4961-9228-4A1ADAD28F73@lists.zabbadoz.net> References: <CA%2BQLa9CX26xEwRsz3g6FvBBbbFE0Gfw%2BUR6_RHYOXgZFcgCw5w@mail.gmail.com> <4828EFCC-E60A-4961-9228-4A1ADAD28F73@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--f46d04374987e9965904c33afd9f Content-Type: text/plain; charset=ISO-8859-1 On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net> wrote: > On 24. Jun 2012, at 16:07 , Robert Simmons wrote: >> Here is a set of patches that add functionality to rc.conf allowing >> users an easy way to control the length of the host keys used with ssh >> (specifically RSA and ECDSA used with protocol version 2). > > Created for, not used with -- right? Yes, created for. I have updated the patch to reflect this and attached the new patch. Good eye, thanks. > The used with is controlled in sshd_config and if the key is not there > but it's enabled in sshd_config you'll get a warning on boot which is > very annoying. No. Actually, "used with" is not controlled in sshd_config. Only the path to the key files is controlled by that config. The sshd_flags variable in rc.conf is what controls "used with". For example, on my installs, I only want to use the ECDSA key and not present any other protocol v2 keys to clients, thereby restricting it to ECDSA. The only way to go about this is to set the following: sshd_flags="-h /etc/ssh/ssh_host_ecdsa_key" Take a look at sshd(8), specifically the -h option for clarification. >> I would like to also discuss the merits of changing FreeBSD's default >> behavior to using 4096 bit RSA keys and 521 bit ECDSA keys. >> >> I have refrained from changing FreeBSD's default behavior in these >> patches and stuck to just adding configurability. > > Do we differ from what the OpenSSH defaults are? No, we don't differ from OpenSSH defaults in regards to key sizes. --f46d04374987e9965904c33afd9f Content-Type: application/octet-stream; name="rc.conf.5.diff" Content-Disposition: attachment; filename="rc.conf.5.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: f_h3udkh0a0 LS0tIHNyYy9zaGFyZS9tYW4vbWFuNS9yYy5jb25mLjUub2xkCTIwMTItMDYtMjQgMTE6MjY6MzAu MzY3MzYxOTY5IC0wNDAwCisrKyBzcmMvc2hhcmUvbWFuL21hbjUvcmMuY29uZi41CTIwMTItMDYt MjQgMTM6MTA6NDkuNzQ3MjM5MDc0IC0wNDAwCkBAIC0zNjY0LDYgKzM2NjQsMzIgQEAKIHRoZXNl IGFyZSB0aGUgZmxhZ3MgdG8gcGFzcyB0byB0aGUKIC5YciBzc2hkIDgKIGRhZW1vbi4KKy5JdCBW YSByc2Ffa2V5c2l6ZV9mbGFnCisuUHEgVnQgc3RyCitJZgorLlZhIHNzaGRfZW5hYmxlCitpcyBz ZXQgdG8KKy5EcSBMaSBZRVMgLAordGhpcyBpcyB0aGUgZmxhZyB0byBwYXNzIHRvCisuWHIgc3No LWtleWdlbiAxCit0aGF0IHNwZWNpZmllcyB0aGUgbnVtYmVyIG9mIGJpdHMgdG8gY3JlYXRlIGlu IHRoZSBSU0EgaG9zdCBrZXkgZ2VuZXJhdGVkIGZvcgorc3NoIHByb3RvY29sIHZlcnNpb24gMi4K K1RoZSBtaW5pbXVtIHNpemUgaXMgNzY4IGJpdHMsIGFuZCB0aGUgZGVmYXVsdCBpcyAyMDQ4IGJp dHMuCitHZW5lcmFsbHksIDIwNDggYml0cyBpcyBjb25zaWRlcmVkIHN1ZmZpY2llbnQsIGJ1dCB0 aGUgbWF4aW11bSBpcyA0MDk2IGJpdHMuCitMZWF2aW5nIHRoaXMgZW1wdHkgd2lsbCBzZXQgdGhl IHNpemUgdG8gZGVmYXVsdC4KKy5JdCBWYSBlY2RzYV9rZXlzaXplX2ZsYWcKKy5QcSBWdCBzdHIK K0lmCisuVmEgc3NoZF9lbmFibGUKK2lzIHNldCB0bworLkRxIExpIFlFUyAsCit0aGlzIGlzIHRo ZSBmbGFnIHRvIHBhc3MgdG8KKy5YciBzc2gta2V5Z2VuIDEKK3RoYXQgZGV0ZXJtaW5lcyB0aGUg a2V5IGxlbmd0aCBieSBzZWxlY3RpbmcgZnJvbSBvbmUgb2YgdGhyZWUgZWxsaXB0aWMgY3VydmUK K3NpemVzIHVzZWQgdG8gY3JlYXRlIHRoZSBFQ0RTQSBrZXkgZ2VuZXJhdGVkIGZvciBzc2ggcHJv dG9jb2wgdmVyc2lvbiAyLgorVGhlIHRocmVlIGNob2ljZXMgYXJlIDI1NiwgMzg0LCBhbmQgNTIx IGJpdHMgd2l0aCAyNTYgYml0cyBiZWluZyB0aGUgZGVmYXVsdC4KK0F0dGVtcHRpbmcgdG8gdXNl IGJpdCBsZW5ndGhzIG90aGVyIHRoYW4gdGhlc2UgdGhyZWUgdmFsdWVzIHdpbGwgZmFpbC4KK0xl YXZpbmcgdGhpcyBlbXB0eSB3aWxsIHNldCB0aGUgc2l6ZSB0byBkZWZhdWx0LgogLkl0IFZhIGZ0 cGRfcHJvZ3JhbQogLlBxIFZ0IHN0cgogUGF0aCB0byB0aGUgRlRQIHNlcnZlciBwcm9ncmFtCg== --f46d04374987e9965904c33afd9f--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BQLa9DxE5D5ZeQ6M-FQGRySCGytQ=Qn2ZyNMYuCfSLGV1gdQw>