From nobody Wed Sep 25 20:42:49 2024
X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XDTFR0KyFz5Xh7M
	for <freebsd-arch@mlmmj.nyi.freebsd.org>; Wed, 25 Sep 2024 20:42:51 +0000 (UTC)
	(envelope-from 010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@amazonses.com)
Received: from a8-13.smtp-out.amazonses.com (a8-13.smtp-out.amazonses.com [54.240.8.13])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XDTFQ0mFQz56ZX
	for <freebsd-arch@freebsd.org>; Wed, 25 Sep 2024 20:42:50 +0000 (UTC)
	(envelope-from 010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@amazonses.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=tarsnap.com header.s=dqtolf56kk3wpt62c3jnwboqvr7iedax header.b=SvW62vMf;
	dkim=pass header.d=amazonses.com header.s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug header.b=aKRZdDn9;
	spf=pass (mx1.freebsd.org: domain of 010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@amazonses.com designates 54.240.8.13 as permitted sender) smtp.mailfrom=010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@amazonses.com;
	dmarc=pass (policy=none) header.from=tarsnap.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=dqtolf56kk3wpt62c3jnwboqvr7iedax; d=tarsnap.com; t=1727296969;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding;
	bh=ki/KsIDh2CcA0KFGa4zidgR2/yQXfTNAOgxCCgE47rc=;
	b=SvW62vMf6LgljtRA9wQX7o3y8LtQefSph5dGs7QsT9Z/f6fSHkR3DPBIt1f6Fe9y
	xSKhIxweXdzeYqlachRgZn1feyB1poCH/P2NUdEgsktWm0YilobGkuHnGzfYKLbEnz0
	gSaFHAXfDdVnAhGSaurX48MP2u+C5xaigDDiTlg0=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1727296969;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding:Feedback-ID;
	bh=ki/KsIDh2CcA0KFGa4zidgR2/yQXfTNAOgxCCgE47rc=;
	b=aKRZdDn9ugkNG9JXGCDiT4AF2yem8oC9TifK2QXukgfq8b7dZG86PrMdOYdde232
	GAoYraEHC0ExC9WQizQNsSO3t4Nt937Jrks/sRLLqU/1FLZ27AbWndgwOygVWPlsJxo
	zza/LaRQhGBC/eDGIB/C8iC6GQN/6WFFU+XzPiW4=
Message-ID: <010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@email.amazonses.com>
Date: Wed, 25 Sep 2024 20:42:49 +0000
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-arch
List-Help: <mailto:freebsd-arch+help@freebsd.org>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Subscribe: <mailto:freebsd-arch+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-arch+unsubscribe@freebsd.org>
Sender: owner-freebsd-arch@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Deprecating RSA ssh host keys in 16
To: Xin LI <delphij@gmail.com>, 
	=?UTF-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@freebsd.org>
Cc: Shawn Webb <shawn.webb@hardenedbsd.org>, freebsd-arch@freebsd.org, 
	Li-Wen Hsu <lwhsu@freebsd.org>, Ronald Klop <ronald@freebsd.org>
References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com>
 <wzyhp2k7fyvg6qxrkrs32uweiuijpv7f6sjjt2yuonob7py3gj@7f7xdqj72erk>
 <0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@email.amazonses.com>
 <868qvfy7bt.fsf@ltc.des.dev>
 <CAGMYy3tzguXxQ_58YjOMju7xwUS=msLmW8_DajyfpnUatsq1=Q@mail.gmail.com>
Content-Language: en-US
From: Colin Percival <cperciva@tarsnap.com>
In-Reply-To: <CAGMYy3tzguXxQ_58YjOMju7xwUS=msLmW8_DajyfpnUatsq1=Q@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Feedback-ID: ::1.us-east-1.Lv9FVjaNvvR5llaqfLoOVbo2VxOELl7cjN0AOyXnPlk=:AmazonSES
X-SES-Outgoing: 2024.09.25-54.240.8.13
X-Spamd-Result: default: False [-1.29 / 15.00];
	FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.999];
	DMARC_POLICY_ALLOW(-0.50)[tarsnap.com,none];
	FORGED_SENDER(0.30)[cperciva@tarsnap.com,010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@amazonses.com];
	R_SPF_ALLOW(-0.20)[+ip4:54.240.0.0/18:c];
	R_DKIM_ALLOW(-0.20)[tarsnap.com:s=dqtolf56kk3wpt62c3jnwboqvr7iedax,amazonses.com:s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug];
	RWL_MAILSPIKE_GOOD(-0.10)[54.240.8.13:from];
	MIME_GOOD(-0.10)[text/plain];
	XM_UA_NO_VERSION(0.01)[];
	MIME_TRACE(0.00)[0:+];
	RCVD_IN_DNSWL_NONE(0.00)[54.240.8.13:from];
	ASN(0.00)[asn:14618, ipnet:54.240.8.0/21, country:US];
	ARC_NA(0.00)[];
	TO_DN_SOME(0.00)[];
	DKIM_TRACE(0.00)[tarsnap.com:+,amazonses.com:+];
	FREEMAIL_TO(0.00)[gmail.com,freebsd.org];
	MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org];
	FROM_HAS_DN(0.00)[];
	RCVD_COUNT_ZERO(0.00)[0];
	FROM_NEQ_ENVFROM(0.00)[cperciva@tarsnap.com,010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@amazonses.com];
	DWL_DNSWL_NONE(0.00)[amazonses.com:dkim];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	RCPT_COUNT_FIVE(0.00)[6]
X-Rspamd-Queue-Id: 4XDTFQ0mFQz56ZX
X-Spamd-Bar: -

On 9/25/24 13:07, Xin LI wrote:
> On Wed, Sep 25, 2024 at 10:25 AM Dag-Erling Smørgrav <des@freebsd.org 
> <mailto:des@freebsd.org>> wrote:
>     Oh, and should we perhaps also disable (non-elliptic) DSA host keys?
> 
> Yes, please remove the generation of DSA host keys (I thought it was removed 
> in 2018 when you imported OpenSSH 7.7, but turns out it's only removed from 
> sshd_config).

DSA host key generation was disabled in af8ee1391d08c (August 2016).  If you
have DSA host keys I think they will get used, but we don't generate them by
default now.

> For the RSA host key I think deprecating now is fine and we should even remove 
> it from the default sshd_config configuration in 15.  OpenSSH implemented 
> ed25519 support in 6.5 (2014), which is 10 years ago, and ecdsa even earlier 
> than that, and for those who really needs it, they can always add it back to 
> sshd_config until the upstream have removed the support, which is probably not 
> going to happen anytime soon.

The place which controls key generation is /etc/rc.d/sshd:

: ${sshd_rsa_enable:="yes"}
: ${sshd_dsa_enable:="no"}
: ${sshd_ecdsa_enable:="yes"}
: ${sshd_ed25519_enable:="yes"}

and obviously the key-generation behaviour can be changed in /etc/rc.conf.

Colin Percival