Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 Sep 2024 15:19:15 +0000
From:      Colin Percival <cperciva@tarsnap.com>
To:        Shawn Webb <shawn.webb@hardenedbsd.org>
Cc:        freebsd-arch@freebsd.org, Li-Wen Hsu <lwhsu@freebsd.org>,  Ronald Klop <ronald@freebsd.org>
Subject:   Re: Deprecating RSA ssh host keys in 16
Message-ID:  <0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@email.amazonses.com>
In-Reply-To: <wzyhp2k7fyvg6qxrkrs32uweiuijpv7f6sjjt2yuonob7py3gj@7f7xdqj72erk>
References:  <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> <wzyhp2k7fyvg6qxrkrs32uweiuijpv7f6sjjt2yuonob7py3gj@7f7xdqj72erk>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 9/24/24 12:16, Shawn Webb wrote:
> On Tue, Sep 24, 2024 at 06:41:00PM UTC, Colin Percival wrote:
>> I don't think we should turn off RSA host key generation in general in
>> 15.x since for non-VM/cloud images the first boot time is less relevant
>> (if you're installing from an ISO image, the installer will take far
>> longer than the host key generation) but I think it would make sense to
>> deprecate RSA host keys in 15 and then turn them off by default in 16.
>> [...]
> 
> With commit e3f33c64ec168a48038309af0c237eda86d10c74[1], introduced on
> 14 Nov 2024, HardenedBSD has disabled the generation of RSA host keys
> by default.
> 
> We haven't seen any reports of any breakage. While the change might be
> considered a POLA violation, it seems pretty harmless on today's
> 15-CURRENT systems.
> 
> We have a number of 15-CURRENT users, though we don't have any hard
> data, and likely pales in comparison to the FreeBSD side--enough so
> that the sample is too small to be a significant or reliable data
> point.

It's still a very helpful data point!  I've also had one response from
someone with old IoT systems which only understand RSA host keys, so I
think my proposed timeline of "warn people now that it will be disabled
by default in 16" is the way to go.

Colin Percival

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000>