From owner-freebsd-security@FreeBSD.ORG Wed Aug 9 13:32:43 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7900C16A4DA for ; Wed, 9 Aug 2006 13:32:43 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from sccmmhc92.asp.att.net (sccmmhc92.asp.att.net [204.127.203.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0249443D72 for ; Wed, 9 Aug 2006 13:32:40 +0000 (GMT) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net ([12.207.12.9]) by sccmmhc92.asp.att.net (sccmmhc92) with ESMTP id <20060809133239m92002s6t4e>; Wed, 9 Aug 2006 13:32:39 +0000 Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.13.6/8.13.6) with ESMTP id k79DWZjQ008376; Wed, 9 Aug 2006 08:32:35 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.13.6/8.13.6/Submit) id k79DWXng008375; Wed, 9 Aug 2006 08:32:33 -0500 (CDT) (envelope-from brooks) Date: Wed, 9 Aug 2006 08:32:32 -0500 From: Brooks Davis To: fwaggle Message-ID: <20060809133232.GC7832@lor.one-eyed-alien.net> References: <44D922E0.5050005@FreeBSD.org> <20060809071735.71840.qmail@web30310.mail.mud.yahoo.com> <20060809130842.GA7832@lor.one-eyed-alien.net> <44D9E348.3060604@hungryhacker.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="H8ygTp4AXg6deix2" Content-Disposition: inline In-Reply-To: <44D9E348.3060604@hungryhacker.com> User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org Subject: Re: seeding dev/random in 5.5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Aug 2006 13:32:43 -0000 --H8ygTp4AXg6deix2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 09, 2006 at 09:29:44AM -0400, fwaggle wrote: > Brooks Davis wrote: > >On Wed, Aug 09, 2006 at 12:17:35AM -0700, R. B. Riddick wrote: > >>--- Doug Barton wrote: > [snip] > >>* I received a private communication yesterday about this matter. But t= he=20 > >>list > >>did not. I will cite (not litterally) a little bit out of that message:= =20 > >>Since > >>you do not know anything about the remotely created host-key, u cannot= =20 > >>connect > >>safely to the freshly installed box, because: You do not even know the > >>signature of the new host-key, so that if u connect to the wrong box u= =20 > >>would > >>not even known. Workaround: You could give all hosts the same well-known > >>host-key (via your install-image-CD) and then u could change the host-k= ey=20 > >>in a > >>remotely controlled way individually and note down the signature? Maybe= my > >>secret informer (lets call him Rasmus or RK) wants to come public... :-) > > > >These are valid if probably overly paranoid points. :) > [/snip] >=20 > i have a question. perhaps i'm misunderstanding something with how SSH=20 > works, but how would having a "standard freebsd private key" benefit=20 > anyone? if you wanted to impersonate a newly installed freebsd machine,= =20 > then all you'd need is that freely-available private key. plus you'd get= =20 > a bunch of clueless admins who had their machines installed by a=20 > dedicated server provider, and who'd never change their host key, which= =20 > would effectively ruin SSH for their purposes. >=20 > unless i've seriously missed the boat somewhere (it's happened before!)= =20 > i think a better solution would still be random key generation with a=20 > nice little option to email the key signature somewhere that the new=20 > admin could pick it up. it's still fraught with impersonation danger for= =20 > the paranoid, but imo it's a better idea than having a not-so-private=20 > key on install. I interpreted the suggestion is something to be done via custom install media. There's no chance in hell the freebsd project would install a default key since it's such an obviously bad idea. -- Brooks --H8ygTp4AXg6deix2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFE2ePvXY6L6fI4GtQRAn2xAJ48YiIC7YN4OuPvcDMZevqzm+7/EgCgq2Jl nebczo980bTeAegcV4AYzIM= =PrLI -----END PGP SIGNATURE----- --H8ygTp4AXg6deix2--