From owner-freebsd-questions@freebsd.org Sat Aug 8 04:05:42 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BFF2A9B5C4C; Sat, 8 Aug 2015 04:05:42 +0000 (UTC) (envelope-from milios@ccsys.com) Received: from cargobay.net (cargobay.net [198.178.123.147]) by mx1.freebsd.org (Postfix) with ESMTP id 80A951FE6; Sat, 8 Aug 2015 04:05:41 +0000 (UTC) (envelope-from milios@ccsys.com) Received: from [192.168.0.2] (cblmdm72-240-160-19.buckeyecom.net [72.240.160.19]) by cargobay.net (Postfix) with ESMTPSA id 69415FE5; Sat, 8 Aug 2015 04:04:43 +0000 (UTC) From: "Chad J. Milios" Message-Id: <218890C8-9306-4CAF-9AEF-35664275B340@ccsys.com> Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\)) Subject: Re: [PATCH] Please review this rc.d/sshd tiny yet ripe low hanging fruit for me. Date: Sat, 8 Aug 2015 00:05:37 -0400 References: To: freebsd-rc@freebsd.org, freebsd-security@freebsd.org, freebsd-questions@freebsd.org In-Reply-To: X-Mailer: Apple Mail (2.2102) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Aug 2015 04:05:42 -0000 On Aug 7, 2015, at 1:46 PM, Chad J. Milios wrote: > ...i apologize for the list-bombing, if i may have a moment of your = time: > TLDR: > https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D159642&action=3Ddi= ff > =E2=80=A6.. > My Concerns: > ONE is adding functionality allowing an admin to tweak the key = generation sshd makes upon its first run using variables in rc.conf = instead of the current day requirement of essentially manually = generating those keys, hopefully the same way, putting them hopefully in = the right place. (not hard for most of us, i know.) TWO, then, is adding = some sort of red paint to a foot-aimed gun i came across when = considering the variable names in rc.d/sshd and lack of mention in = defaults/rc.conf or man 5 rc.conf. > =E2=80=A6.. FYI, I have ported the identical functionality now to the = security/openssl-portable and security/openssl-portable-devel ports so = no one has to miss out. Please would you try one out and now configure = your (-b)etter keys in a consistent way in new deployments from now on = or upgrade yours if you are using defaults and delete existing = /etc/ssh/ssh_host_foo_key* files manually if you intend to update them. Knocking out little fixes like this will keep making things like sysrc = more useful and mergemaster even more worthless, bless its tired heart. = Help assure this works as intended in many cases with as many ssh = options as possible. THANKS PATCHES: either... base system: https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D159642&action=3Ddiff= = ports/security/openssl-portable https://bz-attachments.freebsd.org/attachment.cgi?id=3D159654 = ports/security/openssl-portable-devel https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D159655&action=3Ddiff= = Thank you all. PS here are a couple configs I=E2=80=99d like to hear = everyones thoughts on. Let=E2=80=99s mix up the monoculture more: openssh_rsa1_keygen_enable=3D"NO" openssh_dsa_keygen_enable=3D"NO" openssh_rsa_keygen_flags=3D"-b 4096" openssh_ecdsa_keygen_flags=3D"-b 521" openssh_ed25519_keygen_enable=3D"YES" #default sshd_rsa1_keygen_enable=3D"NO" sshd_dsa_keygen_enable=3D"NO" sshd_rsa_keygen_flags=3D"-b 16384" sshd_ecdsa_keygen_enable=3D"NO" sshd_ed25519_keygen_enable=3D"NO" openssh_rsa1_keygen_enable=3D"NO" openssh_dsa_keygen_enable=3D"NO" openssh_rsa_keygen_enable=3D"NO" openssh_ecdsa_keygen_enable=3D"NO" openssh_ed25519_keygen_enable=3D"YES" #default Can we have a conversation about how best to configure things to require = && (and) keys instead of || (or) keys for certain/all users? Using = sshd_config and/or PAM? openssh_rsa1_keygen_flags=3D"-b 16384=E2=80=9D openssh_dsa_keygen_enable=3D"YES" #default openssh_rsa_keygen_flags=3D"-b 16384" openssh_ecdsa_keygen_flags=3D"-b 521" openssh_ed25519_keygen_enable=3D"YES" #default