From owner-freebsd-security@FreeBSD.ORG Mon Jun 25 01:46:06 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A782A1065679 for ; Mon, 25 Jun 2012 01:46:06 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 2EF388FC14 for ; Mon, 25 Jun 2012 01:46:06 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 4287E25D3A90; Mon, 25 Jun 2012 01:46:05 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 78C15BE8505; Mon, 25 Jun 2012 01:46:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id xZwS1BgZ_o6H; Mon, 25 Jun 2012 01:46:02 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id D5133BE8506; Mon, 25 Jun 2012 01:46:02 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: Date: Mon, 25 Jun 2012 01:46:02 +0000 Content-Transfer-Encoding: 7bit Message-Id: <90EAF0C3-C676-4C20-A981-86FC88BAC29D@lists.zabbadoz.net> References: <4828EFCC-E60A-4961-9228-4A1ADAD28F73@lists.zabbadoz.net> To: Robert Simmons X-Mailer: Apple Mail (2.1084) Cc: freebsd-security@freebsd.org Subject: Re: Add rc.conf variables to control host key length X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2012 01:46:06 -0000 On 24. Jun 2012, at 17:14 , Robert Simmons wrote: > On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb > wrote: >> On 24. Jun 2012, at 16:07 , Robert Simmons wrote: >>> Here is a set of patches that add functionality to rc.conf allowing >>> users an easy way to control the length of the host keys used with ssh >>> (specifically RSA and ECDSA used with protocol version 2). >> >> Created for, not used with -- right? > > Yes, created for. I have updated the patch to reflect this and > attached the new patch. Good eye, thanks. > >> The used with is controlled in sshd_config and if the key is not there >> but it's enabled in sshd_config you'll get a warning on boot which is >> very annoying. > > No. Actually, "used with" is not controlled in sshd_config. Only the > path to the key files is controlled by that config. > The sshd_flags variable in rc.conf is what controls "used with". For > example, on my installs, I only want to use the ECDSA key and not > present any other protocol v2 keys to clients, thereby restricting it > to ECDSA. The only way to go about this is to set the following: > sshd_flags="-h /etc/ssh/ssh_host_ecdsa_key" > Take a look at sshd(8), specifically the -h option for clarification. Aha, multiple options to accomplish the same thing. HostKey /etc/ssh/ssh_host_ecdsa_key in sshd_config should accomplish the same, shouldn't it? I'd really prefer that to a command line option. /bz -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!