From owner-freebsd-security@FreeBSD.ORG  Sun Jun 24 22:09:59 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53])
	by hub.freebsd.org (Postfix) with ESMTP id B0A7C106564A
	for <freebsd-security@freebsd.org>;
	Sun, 24 Jun 2012 22:09:59 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36])
	by mx2.freebsd.org (Postfix) with ESMTP id 2A0C1150689;
	Sun, 24 Jun 2012 22:09:59 +0000 (UTC)
Message-ID: <4FE79036.2020503@FreeBSD.org>
Date: Sun, 24 Jun 2012 15:09:58 -0700
From: Doug Barton <dougb@FreeBSD.org>
Organization: http://SupersetSolutions.com/
User-Agent: Mozilla/5.0 (X11; FreeBSD i386;
	rv:13.0) Gecko/20120624 Thunderbird/13.0.1
MIME-Version: 1.0
To: Robert Simmons <rsimmons0@gmail.com>
References: <CA+QLa9CX26xEwRsz3g6FvBBbbFE0Gfw+UR6_RHYOXgZFcgCw5w@mail.gmail.com>
In-Reply-To: <CA+QLa9CX26xEwRsz3g6FvBBbbFE0Gfw+UR6_RHYOXgZFcgCw5w@mail.gmail.com>
X-Enigmail-Version: 1.4.2
OpenPGP: id=1A1ABC84
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-security@freebsd.org
Subject: Re: Add rc.conf variables to control host key length
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jun 2012 22:09:59 -0000

On 06/24/2012 09:07, Robert Simmons wrote:
> Here is a set of patches that add functionality to rc.conf allowing
> users an easy way to control the length of the host keys used with ssh

Sorry, this doesn't belong in rc.d. The defaults are more than
sufficient for the overwhelming majority of FreeBSD users. As has
already been pointed out to you, the key can easily be changed after the
system has booted for the first time.

Knobs in rc.d should be for things that users are likely to need to
configure, and/or need to be run often. Host key generation happens
exactly one time in the life of a system, so this is neither.

... and yes, I stay very up to date on current discussions of
cryptographic topics, including RSA key lengths. If you can point to a
realistic threat model that would allow a 2048 bit key to be compromised
where a larger RSA key would not, it would be worthwhile to have a
discussion about changing the defaults. But it still wouldn't belong in
rc.d.

hope this helps,

Doug

-- 

    This .signature sanitized for your protection