From owner-freebsd-security@FreeBSD.ORG Sun Jun 24 18:15:47 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 220071065670 for ; Sun, 24 Jun 2012 18:15:47 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id BE3C28FC16 for ; Sun, 24 Jun 2012 18:15:46 +0000 (UTC) Received: by obbun3 with SMTP id un3so6687407obb.13 for ; Sun, 24 Jun 2012 11:15:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=UNRl/5R953gNRUzoc7MGXd0KJrEQZTMhkCInLwP51k4=; b=XG6yY+Or9tKI2H/7EGTUOllTBo5odCRG8wt7cM6rPg1rU6Jo5Hlko+xXdZwXN6zoLE E6BzHTNrKJi4qrVTcn5h3AZeNBCvMs4IIEUxvDS+UgrnRzSnbvr9ncMadaR57vghe5rI qqC6YOJZ8J+s9GutJott4LjySR5LynCYSlKtU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-gm-message-state; bh=UNRl/5R953gNRUzoc7MGXd0KJrEQZTMhkCInLwP51k4=; b=O3Mp4yHjmRMARf6Gv2u9czFQ4oQqQIVPzfIFRrByOGoEsPQgKzlzp8GrwGnHaOt734 MfA6OLLzfy3R6XjWf9Uf0/ABGOoZhyDuVPiEG4hI4LJBgg/0HG9WW0XYOGhKCFfa+3oj jewtBJuA/PltRb9UCB+fWV9zbzuKXs1V95m/eHKHAj2NkZI/2BZQMuCFZgfah2oAd0Ah ZjlJbr1V3xsfyxaGrbDHGMWgeAQR0da0mnV1nFtE6orpkeDzzpKQ221STOwmUczzup/w RO13gOtwWOcrgKZgnXXzYlLpHbzBsnIg/URfdX5OVqFU/2P9FYP7efXLP9XDpqaWfwVk 3gaA== Received: by 10.50.94.133 with SMTP id dc5mr6381923igb.16.1340561746197; Sun, 24 Jun 2012 11:15:46 -0700 (PDT) Received: from DataIX.net (75-128-120-86.dhcp.aldl.mi.charter.com. [75.128.120.86]) by mx.google.com with ESMTPS id dw5sm4607933igc.6.2012.06.24.11.15.45 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 24 Jun 2012 11:15:45 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q5OIFhPO004706 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 24 Jun 2012 14:15:43 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q5OIFh3b004705; Sun, 24 Jun 2012 14:15:43 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Sun, 24 Jun 2012 14:15:43 -0400 From: "J. Hellenthal" To: Robert Simmons Message-ID: <20120624181543.GA3652@DataIX.net> References: <4828EFCC-E60A-4961-9228-4A1ADAD28F73@lists.zabbadoz.net> <20120624165920.GA85913@DataIX.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="J/dobhs11T7y2rNN" Content-Disposition: inline In-Reply-To: X-Gm-Message-State: ALoCoQlc06tp3IWekF8j4XAYHzq+lz56GC/qmOdr2oz17y8CClex/BWz6uEUMDY6q+A5JWGatHP3 Cc: freebsd-security@freebsd.org Subject: Re: Add rc.conf variables to control host key length X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jun 2012 18:15:47 -0000 --J/dobhs11T7y2rNN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jun 24, 2012 at 01:26:21PM -0400, Robert Simmons wrote: > On Sun, Jun 24, 2012 at 12:59 PM, J. Hellenthal = wrote: > > These are more then sufficient for any normal ssh use. >=20 > I'm sorry if I sound rude, but I wanted to have a bit more of a > substantive discussion than quoting the man pages. Especially since > what you are quoting dates back to a change to > src/crypto/openssh/ssh-keygen.1 dated the following: > Sun Sep 11 16:50:35 2005 UTC (6 years, 9 months ago) by des >=20 > Being that the old "considered sufficient" of 1024 was added at the > following revision date: > Thu Feb 24 14:29:46 2000 UTC (12 years, 4 months ago) by markm >=20 There is nothing stopping you from changing a key after the system has booted e.g. by using the rc script itself if you feel it is not sufficient. Given OpenBSD is usually always on the far safe side of things taking the security approach before simplicity I would extremely agree that it is more than sufficient. But then again what is good for the masses it not always good enough for the security paranoid and giving credit to such is what keeps everyone safe. ( /usr/local/etc/rc.d/openssh keygen ) # regenerate your keys Which should generate a new set of keys, keeping you safe for another X amount of years. - or - ssh-keygen -f rsa -b [NNNN] -f /usr/local/etc/ssh/ssh_host_rsa_key But the intitial key being the default? its sufficient to get you in and started on a remote system. > I would say that we are exactly due for a real discussion as to what > should be considered sufficient with regards to modern processors and > GPUs. Unfortunately I see that as a different thread "Hardware potential to duplicate existing host keys... RSA DSA ECDSA" --=20 - (2^(N-1)) --J/dobhs11T7y2rNN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJP51lOAAoJEBSh2Dr1DU7W/lAH/RDpLU4Tpmn76PN/4S5tlMkA RPKe62Yd4Pa5nAMdJ9OWGs4XV/aWgIdqNQN2hfY84QfBGAW3cJWBjw7H6hFjKv5d UPfl37dj5PbAU4nmM5Yc3QVoXy8BdTKpAbQo6vXSZBW7IkLE9aCLCeSnEoXXG72a n+3tElFpgzX4HsR0gf3BwxR/3FjGh2jxvXUagIjJ/pLpkC0JwBdwctBFZju9LRJ4 rCeK3PAKmTZEogzZQ5XE6nNSXV0nCRFk/BhTcUHtuwlto8GWU+r3qPsqnpL0IDzb 70YMUiboK2lR9GFULtQbjRuibpLUco4jIsFI76gfA8k1XQQ3le4LNhPIFkTYrYo= =Upa3 -----END PGP SIGNATURE----- --J/dobhs11T7y2rNN--