From nobody Wed Sep 25 15:19:15 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XDL450mPnz5XLxv for ; Wed, 25 Sep 2024 15:19:17 +0000 (UTC) (envelope-from 0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@amazonses.com) Received: from a8-56.smtp-out.amazonses.com (a8-56.smtp-out.amazonses.com [54.240.8.56]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4XDL446Bd8z4NNN for ; Wed, 25 Sep 2024 15:19:16 +0000 (UTC) (envelope-from 0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@amazonses.com) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=dqtolf56kk3wpt62c3jnwboqvr7iedax; d=tarsnap.com; t=1727277556; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding; bh=GXATfK2z4q7/HznnrcalJZg0lvC/0jb6fg9z8yGwRzw=; b=Up/UqclOLz7Y9kIqravoxgZaeyEaokN21nqaVfadLRgO1Q/25PbK7pVxspDAHMEa 8bXXQopkHbFMFeJ4LcgYS6ERT6tlcBOz7/KgSBFU3w6pU/O+K+ANvZAU4YeC04Auc7j jEp9L5zheswpSdKgyFg929phv7C4HxZ0q/Rp/PjY= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1727277556; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=GXATfK2z4q7/HznnrcalJZg0lvC/0jb6fg9z8yGwRzw=; b=PcEKylmx9+cdKJrJ0wQ4h0d3h5YZXFte4IltHbPbfqGALG9pC6437Nht3mxuhEvv 5hcjfaQpcKuDSjvfCo2QhZoZXMQqBFyVaSZ6sjNLWpfHMerSCqr3vTMijm3635l2aD6 E+Cu/9ONjEUyd040uCFMRoau68STGo0E9FoNz/h8= Message-ID: <0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@email.amazonses.com> Date: Wed, 25 Sep 2024 15:19:15 +0000 List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Deprecating RSA ssh host keys in 16 To: Shawn Webb Cc: freebsd-arch@freebsd.org, Li-Wen Hsu , Ronald Klop References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> Content-Language: en-US From: Colin Percival In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Feedback-ID: ::1.us-east-1.Lv9FVjaNvvR5llaqfLoOVbo2VxOELl7cjN0AOyXnPlk=:AmazonSES X-SES-Outgoing: 2024.09.25-54.240.8.56 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:14618, ipnet:54.240.8.0/21, country:US] X-Rspamd-Queue-Id: 4XDL446Bd8z4NNN X-Spamd-Bar: ---- On 9/24/24 12:16, Shawn Webb wrote: > On Tue, Sep 24, 2024 at 06:41:00PM UTC, Colin Percival wrote: >> I don't think we should turn off RSA host key generation in general in >> 15.x since for non-VM/cloud images the first boot time is less relevant >> (if you're installing from an ISO image, the installer will take far >> longer than the host key generation) but I think it would make sense to >> deprecate RSA host keys in 15 and then turn them off by default in 16. >> [...] > > With commit e3f33c64ec168a48038309af0c237eda86d10c74[1], introduced on > 14 Nov 2024, HardenedBSD has disabled the generation of RSA host keys > by default. > > We haven't seen any reports of any breakage. While the change might be > considered a POLA violation, it seems pretty harmless on today's > 15-CURRENT systems. > > We have a number of 15-CURRENT users, though we don't have any hard > data, and likely pales in comparison to the FreeBSD side--enough so > that the sample is too small to be a significant or reliable data > point. It's still a very helpful data point! I've also had one response from someone with old IoT systems which only understand RSA host keys, so I think my proposed timeline of "warn people now that it will be disabled by default in 16" is the way to go. Colin Percival