Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 Sep 2024 20:42:49 +0000
From:      Colin Percival <cperciva@tarsnap.com>
To:        Xin LI <delphij@gmail.com>,  =?UTF-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@freebsd.org>
Cc:        Shawn Webb <shawn.webb@hardenedbsd.org>, freebsd-arch@freebsd.org,  Li-Wen Hsu <lwhsu@freebsd.org>, Ronald Klop <ronald@freebsd.org>
Subject:   Re: Deprecating RSA ssh host keys in 16
Message-ID:  <010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000@email.amazonses.com>
In-Reply-To: <CAGMYy3tzguXxQ_58YjOMju7xwUS=msLmW8_DajyfpnUatsq1=Q@mail.gmail.com>
References:  <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> <wzyhp2k7fyvg6qxrkrs32uweiuijpv7f6sjjt2yuonob7py3gj@7f7xdqj72erk> <0100019229c3e0d7-fd2e827b-6647-41a1-bc89-39367954f98c-000000@email.amazonses.com> <868qvfy7bt.fsf@ltc.des.dev> <CAGMYy3tzguXxQ_58YjOMju7xwUS=msLmW8_DajyfpnUatsq1=Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 9/25/24 13:07, Xin LI wrote:
> On Wed, Sep 25, 2024 at 10:25 AM Dag-Erling Smørgrav <des@freebsd.org 
> <mailto:des@freebsd.org>> wrote:
>     Oh, and should we perhaps also disable (non-elliptic) DSA host keys?
> 
> Yes, please remove the generation of DSA host keys (I thought it was removed 
> in 2018 when you imported OpenSSH 7.7, but turns out it's only removed from 
> sshd_config).

DSA host key generation was disabled in af8ee1391d08c (August 2016).  If you
have DSA host keys I think they will get used, but we don't generate them by
default now.

> For the RSA host key I think deprecating now is fine and we should even remove 
> it from the default sshd_config configuration in 15.  OpenSSH implemented 
> ed25519 support in 6.5 (2014), which is 10 years ago, and ecdsa even earlier 
> than that, and for those who really needs it, they can always add it back to 
> sshd_config until the upstream have removed the support, which is probably not 
> going to happen anytime soon.

The place which controls key generation is /etc/rc.d/sshd:

: ${sshd_rsa_enable:="yes"}
: ${sshd_dsa_enable:="no"}
: ${sshd_ecdsa_enable:="yes"}
: ${sshd_ed25519_enable:="yes"}

and obviously the key-generation behaviour can be changed in /etc/rc.conf.

Colin Percival

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?010001922aec1a6b-133cecdd-1d83-43eb-aa46-a0eb25252ccd-000000>