From nobody Tue Oct 08 00:36:45 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XMxsq0pb1z5Ygx7 for ; Tue, 08 Oct 2024 00:36:47 +0000 (UTC) (envelope-from 01000192698e97f0-0a1a42b2-41cb-4cd6-bd65-93a6b8dbf6fd-000000@amazonses.com) Received: from a8-52.smtp-out.amazonses.com (a8-52.smtp-out.amazonses.com [54.240.8.52]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4XMxsp4Ylzz47YW for ; Tue, 8 Oct 2024 00:36:46 +0000 (UTC) (envelope-from 01000192698e97f0-0a1a42b2-41cb-4cd6-bd65-93a6b8dbf6fd-000000@amazonses.com) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=dqtolf56kk3wpt62c3jnwboqvr7iedax; d=tarsnap.com; t=1728347805; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding; bh=5CZxaq4WzPNhqfPgLw7yFpAmUqdgSSrVX4TRF3et5uk=; b=Jt3Ye9hjbig81VkptJWzZ7QR54b2Ls01ABy3Cj0OSAHh6r8jL+Np/JwThr4ZvD+V Hw671LWmw0MYBCNEgH4VEyYuckhX4WnACbSg1T1DtgulOAWzrb4PGzeso8wpENUwMp3 +ubp1VQigzn9WEtpMnFd9VUWBPXfnVDXTHyvxXb8= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1728347805; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=5CZxaq4WzPNhqfPgLw7yFpAmUqdgSSrVX4TRF3et5uk=; b=eUe6MY/VzqWluDTaLkiQtbEcg0T/9AOvbirFoN1SXtuq+emvMkKgo50K3ro/4QBN +G6AmvpYJ0kR3wfsseEK02qYdfoxAiZI+Dykm8wsHoGC7ySgnLkMOG3G+tqh8SU2h9q 1NYCHErL4ya23GC329Qxyx2yBrlmbR2QNquFC1iQ= Message-ID: <01000192698e97f0-0a1a42b2-41cb-4cd6-bd65-93a6b8dbf6fd-000000@email.amazonses.com> Date: Tue, 8 Oct 2024 00:36:45 +0000 List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Deprecating RSA ssh host keys in 16 To: Ed Maste Cc: freebsd-arch@freebsd.org, Li-Wen Hsu , Ronald Klop References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com> <010001923494fd7e-4bc86dba-6c22-4367-b76d-de1799f18f80-000000@email.amazonses.com> Content-Language: en-US From: Colin Percival In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Feedback-ID: ::1.us-east-1.Lv9FVjaNvvR5llaqfLoOVbo2VxOELl7cjN0AOyXnPlk=:AmazonSES X-SES-Outgoing: 2024.10.08-54.240.8.52 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:14618, ipnet:54.240.8.0/21, country:US] X-Rspamd-Queue-Id: 4XMxsp4Ylzz47YW X-Spamd-Bar: ---- On 10/7/24 10:39, Ed Maste wrote: > On Fri, 27 Sept 2024 at 13:43, Colin Percival wrote: >> Wearing my EC2 maintainer hat: *In cloud environments* this is important >> enough to diverge from normal practice; but the first-boot-key-generation >> time is not relevant outside of clouds. > > We should probably make the same change to GCE, Azure, and Oracle > cloud images too, no? Probably yes. I was waiting a few weeks to make sure this didn't cause any problems in EC2 before I suggested making the change elsewhere. (Also, I have a policy of not touching non-EC2 cloud code simply because I have lots of Amazon NDAs and don't want to accidentally leak something. But there are other developers who can make this change.) Colin Percival