Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 24 Sep 2024 12:09:03 +0200
From:      Ronald Klop <ronald@FreeBSD.org>
To:        Colin Percival <cperciva@FreeBSD.org>, src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   Re: git: 0aabcd75dbc2 - main - EC2: Disable RSA host key generation for sshd
Message-ID:  <9ce619ca-07b0-47d6-9ed6-4c6fe5dbd801@FreeBSD.org>
In-Reply-To: <202409180648.48I6mKNj004233@gitrepo.freebsd.org>
References:  <202409180648.48I6mKNj004233@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Op 18-09-2024 om 08:48 schreef Colin Percival:
> The branch main has been updated by cperciva:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=0aabcd75dbc2457be65e3c3c46948761ac5e50ed
> 
> commit 0aabcd75dbc2457be65e3c3c46948761ac5e50ed
> Author:     Colin Percival <cperciva@FreeBSD.org>
> AuthorDate: 2024-09-11 05:00:07 +0000
> Commit:     Colin Percival <cperciva@FreeBSD.org>
> CommitDate: 2024-09-18 06:47:58 +0000
> 
>      EC2: Disable RSA host key generation for sshd
>      
>      These are largely obsolete, and generating them is responsible for
>      over 10% of the total boot time of EC2 instances.
>      


Wouldn't it be a good idea to disable this in general in 15-CURRENT? It wouldn't affect existing installations.

Regards,
Ronald.




>      Sponsored by:   Amazon
>      Differential Revision:  https://reviews.freebsd.org/D46638
> ---
>   release/tools/ec2.conf | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/release/tools/ec2.conf b/release/tools/ec2.conf
> index 2cca5fa713af..34434f86a0b1 100644
> --- a/release/tools/ec2.conf
> +++ b/release/tools/ec2.conf
> @@ -71,6 +71,9 @@ ec2_common() {
>   		's/^#KbdInteractiveAuthentication yes/KbdInteractiveAuthentication no/' \
>   		${DESTDIR}/etc/ssh/sshd_config
>   
> +	# RSA host keys are obsolete and also very slow to generate
> +	echo 'sshd_rsa_enable="NO"' >> ${DESTDIR}/etc/rc.conf
> +
>   	# Use FreeBSD Update mirrors hosted in AWS
>   	sed -i '' -e 's/update.FreeBSD.org/aws.update.FreeBSD.org/' \
>   		${DESTDIR}/etc/freebsd-update.conf
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9ce619ca-07b0-47d6-9ed6-4c6fe5dbd801>