Re: git: 0aabcd75dbc2 - main - EC2: Disable RSA host key generation for sshd

From: Ronald Klop <ronald_at_FreeBSD.org>
Date: Tue, 24 Sep 2024 10:09:03 UTC
Op 18-09-2024 om 08:48 schreef Colin Percival:
> The branch main has been updated by cperciva:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=0aabcd75dbc2457be65e3c3c46948761ac5e50ed
> 
> commit 0aabcd75dbc2457be65e3c3c46948761ac5e50ed
> Author:     Colin Percival <cperciva@FreeBSD.org>
> AuthorDate: 2024-09-11 05:00:07 +0000
> Commit:     Colin Percival <cperciva@FreeBSD.org>
> CommitDate: 2024-09-18 06:47:58 +0000
> 
>      EC2: Disable RSA host key generation for sshd
>      
>      These are largely obsolete, and generating them is responsible for
>      over 10% of the total boot time of EC2 instances.
>      


Wouldn't it be a good idea to disable this in general in 15-CURRENT? It wouldn't affect existing installations.

Regards,
Ronald.




>      Sponsored by:   Amazon
>      Differential Revision:  https://reviews.freebsd.org/D46638
> ---
>   release/tools/ec2.conf | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/release/tools/ec2.conf b/release/tools/ec2.conf
> index 2cca5fa713af..34434f86a0b1 100644
> --- a/release/tools/ec2.conf
> +++ b/release/tools/ec2.conf
> @@ -71,6 +71,9 @@ ec2_common() {
>   		's/^#KbdInteractiveAuthentication yes/KbdInteractiveAuthentication no/' \
>   		${DESTDIR}/etc/ssh/sshd_config
>   
> +	# RSA host keys are obsolete and also very slow to generate
> +	echo 'sshd_rsa_enable="NO"' >> ${DESTDIR}/etc/rc.conf
> +
>   	# Use FreeBSD Update mirrors hosted in AWS
>   	sed -i '' -e 's/update.FreeBSD.org/aws.update.FreeBSD.org/' \
>   		${DESTDIR}/etc/freebsd-update.conf
>