Date: Sun, 24 Jun 2012 13:14:02 -0400 From: Robert Simmons <rsimmons0@gmail.com> To: freebsd-security@freebsd.org Subject: Re: Add rc.conf variables to control host key length Message-ID: <CA%2BQLa9DxE5D5ZeQ6M-FQGRySCGytQ=Qn2ZyNMYuCfSLGV1gdQw@mail.gmail.com> In-Reply-To: <4828EFCC-E60A-4961-9228-4A1ADAD28F73@lists.zabbadoz.net> References: <CA%2BQLa9CX26xEwRsz3g6FvBBbbFE0Gfw%2BUR6_RHYOXgZFcgCw5w@mail.gmail.com> <4828EFCC-E60A-4961-9228-4A1ADAD28F73@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net> wrote: > On 24. Jun 2012, at 16:07 , Robert Simmons wrote: >> Here is a set of patches that add functionality to rc.conf allowing >> users an easy way to control the length of the host keys used with ssh >> (specifically RSA and ECDSA used with protocol version 2). > > Created for, not used with -- right? Yes, created for. I have updated the patch to reflect this and attached the new patch. Good eye, thanks. > The used with is controlled in sshd_config and if the key is not there > but it's enabled in sshd_config you'll get a warning on boot which is > very annoying. No. Actually, "used with" is not controlled in sshd_config. Only the path to the key files is controlled by that config. The sshd_flags variable in rc.conf is what controls "used with". For example, on my installs, I only want to use the ECDSA key and not present any other protocol v2 keys to clients, thereby restricting it to ECDSA. The only way to go about this is to set the following: sshd_flags="-h /etc/ssh/ssh_host_ecdsa_key" Take a look at sshd(8), specifically the -h option for clarification. >> I would like to also discuss the merits of changing FreeBSD's default >> behavior to using 4096 bit RSA keys and 521 bit ECDSA keys. >> >> I have refrained from changing FreeBSD's default behavior in these >> patches and stuck to just adding configurability. > > Do we differ from what the OpenSSH defaults are? No, we don't differ from OpenSSH defaults in regards to key sizes. [-- Attachment #2 --] --- src/share/man/man5/rc.conf.5.old 2012-06-24 11:26:30.367361969 -0400 +++ src/share/man/man5/rc.conf.5 2012-06-24 13:10:49.747239074 -0400 @@ -3664,6 +3664,32 @@ these are the flags to pass to the .Xr sshd 8 daemon. +.It Va rsa_keysize_flag +.Pq Vt str +If +.Va sshd_enable +is set to +.Dq Li YES , +this is the flag to pass to +.Xr ssh-keygen 1 +that specifies the number of bits to create in the RSA host key generated for +ssh protocol version 2. +The minimum size is 768 bits, and the default is 2048 bits. +Generally, 2048 bits is considered sufficient, but the maximum is 4096 bits. +Leaving this empty will set the size to default. +.It Va ecdsa_keysize_flag +.Pq Vt str +If +.Va sshd_enable +is set to +.Dq Li YES , +this is the flag to pass to +.Xr ssh-keygen 1 +that determines the key length by selecting from one of three elliptic curve +sizes used to create the ECDSA key generated for ssh protocol version 2. +The three choices are 256, 384, and 521 bits with 256 bits being the default. +Attempting to use bit lengths other than these three values will fail. +Leaving this empty will set the size to default. .It Va ftpd_program .Pq Vt str Path to the FTP server program
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BQLa9DxE5D5ZeQ6M-FQGRySCGytQ=Qn2ZyNMYuCfSLGV1gdQw>