From nobody Wed Sep 25 17:24:54 2024
X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XDNs35KpFz5XV9G
	for <freebsd-arch@mlmmj.nyi.freebsd.org>; Wed, 25 Sep 2024 17:24:55 +0000 (UTC)
	(envelope-from des@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XDNs344trz4dnH;
	Wed, 25 Sep 2024 17:24:55 +0000 (UTC)
	(envelope-from des@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1727285095;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=ii7CYjRmKThevR4actsSDJcqRpFVTPmVGBJEpdPvsjU=;
	b=vNNgSlANfHEiS6Q4hIFZWIjPLKvhSNT5yRppcSQE2QdeSP9v5bvsf0JxrtJzJ8UbyG4xjt
	sLA7FXbS4YbYVkMgNwGpUOl21yErX1UsPioM/Uq/WBFVwYTsd7ZShP5Gjt4edLvqIYslSy
	/UdrJcraFFc0vm6kYnH4mwCDSdqYacZz8taqVOMLqd1OCTd+5ga1q6O2FFHmFMHiUV/Wib
	NuECYKzdcXQmugPY3oK6r5JXduoOVaByYHVkNMxkxWLHgHI4j2qsnyahZL9dmnU0wXQjvD
	PM8TYR5nR6Joeyzo7BAx8jxBQCK/3GfUUDryUFVqE/8bA2EXjxtV53+gAeGQFw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1727285095;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=ii7CYjRmKThevR4actsSDJcqRpFVTPmVGBJEpdPvsjU=;
	b=kVdNVdOXDbE5ajqqUh1wOekrKxn521kIFqRbvsiiadMCTlXEoPbmucP6VNAwddSaSPi5kP
	ZXjoG+UIlE+oWBe+LtF9mGFNBiMb08QqWI6weBLH0hmmEo6E9JTgR9n8EGKp2ugYTjmi9l
	VQLoo+oj5ucu5sDErYJRiPbKgV9ydGbeNliC7CyMWFffXb/+5XhNSK//Fie98GO+CP0tcC
	dqdpel9NRpYpJDlv9v/gBoCM2hcpQ5olmahknvx8iHo6w32R+X+j/AjBDUeKslXX9kTDLS
	cAeq4baSbSEoIIqlI62yDEuh/YKr/DXyuRYX8Zr/XGyxDw3c3ejyYviI9nCmcA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1727285095; a=rsa-sha256; cv=none;
	b=n34cu4Eh7lCgCFLxkEpZCPPPjykCr3tIkvc0xJUTTWNLv2G1SyL5CxUr5LyofM0t48ljGq
	8U27HLMjWfmsNcrQbHSHzUoPn3e3aHZmZBEUoUjvc6ZlBoWV9d69YRvUyyp2YnEyn0LAB5
	y4EPr2qI/WE5qKyNE1sRZBU42tlloies5N5z2wB+L7K2H+pqkp3P2gPfV7gs8npStCiIGN
	Dio9djB94/MMFDZYqo1/uwOgGNaDsMf/iS2x4RUO/+13cigN32XdAZAoDQKr24AHFtsd17
	z8c3YEz9wowogJI5ckkHWzRjSOwrP4U0N4PDsOLEEnJ+49A8jkIWUtbvHEBYvA==
Received: from ltc.des.dev (unknown [IPv6:2a01:e0a:386:9c20:922e:16ff:fef1:acef])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: des)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4XDNs32wZBz16pY;
	Wed, 25 Sep 2024 17:24:55 +0000 (UTC)
	(envelope-from des@freebsd.org)
Received: by ltc.des.dev (Postfix, from userid 1001)
	id 3E174BF131; Wed, 25 Sep 2024 19:24:54 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org>
To: Colin Percival <cperciva@tarsnap.com>
Cc: Shawn Webb <shawn.webb@hardenedbsd.org>,  freebsd-arch@freebsd.org,
  Li-Wen Hsu <lwhsu@freebsd.org>,  Ronald Klop <ronald@freebsd.org>
Subject: Re: Deprecating RSA ssh host keys in 16
In-Reply-To: <0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@email.amazonses.com>
	(Colin Percival's message of "Wed, 25 Sep 2024 15:19:15 +0000")
References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com>
	<wzyhp2k7fyvg6qxrkrs32uweiuijpv7f6sjjt2yuonob7py3gj@7f7xdqj72erk>
	<0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@email.amazonses.com>
User-Agent: Gnus/5.13 (Gnus v5.13)
Date: Wed, 25 Sep 2024 19:24:54 +0200
Message-ID: <868qvfy7bt.fsf@ltc.des.dev>
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-arch
List-Help: <mailto:freebsd-arch+help@freebsd.org>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Subscribe: <mailto:freebsd-arch+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-arch+unsubscribe@freebsd.org>
Sender: owner-freebsd-arch@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Colin Percival <cperciva@tarsnap.com> writes:
> It's still a very helpful data point!  I've also had one response from
> someone with old IoT systems which only understand RSA host keys, so I
> think my proposed timeline of "warn people now that it will be disabled
> by default in 16" is the way to go.

Why is an IoT system making outbound ssh connections?  That's the only
way it would ever be aware of another system's host key.

Btw, I believe there is either a Bugzilla ticket or a Phabricator review
somewhere that makes the list of host key algorithms configurable (and
it's trivial to recreate if you can't find it).

Oh, and should we perhaps also disable (non-elliptic) DSA host keys?

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org