Date: Sun, 24 Jun 2012 15:09:58 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Robert Simmons <rsimmons0@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: Add rc.conf variables to control host key length Message-ID: <4FE79036.2020503@FreeBSD.org> In-Reply-To: <CA%2BQLa9CX26xEwRsz3g6FvBBbbFE0Gfw%2BUR6_RHYOXgZFcgCw5w@mail.gmail.com> References: <CA%2BQLa9CX26xEwRsz3g6FvBBbbFE0Gfw%2BUR6_RHYOXgZFcgCw5w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06/24/2012 09:07, Robert Simmons wrote:
> Here is a set of patches that add functionality to rc.conf allowing
> users an easy way to control the length of the host keys used with ssh
Sorry, this doesn't belong in rc.d. The defaults are more than
sufficient for the overwhelming majority of FreeBSD users. As has
already been pointed out to you, the key can easily be changed after the
system has booted for the first time.
Knobs in rc.d should be for things that users are likely to need to
configure, and/or need to be run often. Host key generation happens
exactly one time in the life of a system, so this is neither.
... and yes, I stay very up to date on current discussions of
cryptographic topics, including RSA key lengths. If you can point to a
realistic threat model that would allow a 2048 bit key to be compromised
where a larger RSA key would not, it would be worthwhile to have a
discussion about changing the defaults. But it still wouldn't belong in
rc.d.
hope this helps,
Doug
--
This .signature sanitized for your protection
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FE79036.2020503>