Date: Tue, 24 Sep 2024 18:41:00 +0000 From: Colin Percival <cperciva@tarsnap.com> To: freebsd-arch@freebsd.org Cc: Li-Wen Hsu <lwhsu@freebsd.org>, Ronald Klop <ronald@FreeBSD.org> Subject: Deprecating RSA ssh host keys in 16 Message-ID: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com>
next in thread | raw e-mail | index | archive | help
Hi all, Last week I turned off RSA host key generation for SSH in EC2 instances, because (a) modern SSH clients support ecdsa and ed25519 keys, and (b) generating RSA host keys was taking over 10% of the boot time when EC2 instances booted for the first time. I don't think we should turn off RSA host key generation in general in 15.x since for non-VM/cloud images the first boot time is less relevant (if you're installing from an ISO image, the installer will take far longer than the host key generation) but I think it would make sense to deprecate RSA host keys in 15 and then turn them off by default in 16. I'm not sure if there's any good way to announce the deprecation beyond putting it into the release notes; we could print a warning in 15 when RSA host keys are generated, but that will always fire regardless of whether they're being *used* and I don't think there's any practical way to warn specifically when RSA host keys are *used*. So unless I'm missing something, the deprecation would just take the form of a few lines in the release notes. Thoughts? Colin Percival
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000>