From nobody Tue Sep 24 18:41:00 2024
X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XCpbL1TF1z5Y8nV
	for <freebsd-arch@mlmmj.nyi.freebsd.org>; Tue, 24 Sep 2024 18:41:02 +0000 (UTC)
	(envelope-from 0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@amazonses.com)
Received: from a8-56.smtp-out.amazonses.com (a8-56.smtp-out.amazonses.com [54.240.8.56])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XCpbK4V50z4jHR
	for <freebsd-arch@freebsd.org>; Tue, 24 Sep 2024 18:41:01 +0000 (UTC)
	(envelope-from 0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@amazonses.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=tarsnap.com header.s=dqtolf56kk3wpt62c3jnwboqvr7iedax header.b=UpYtC2Yy;
	dkim=pass header.d=amazonses.com header.s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug header.b=dtTiPyht;
	dmarc=pass (policy=none) header.from=tarsnap.com;
	spf=pass (mx1.freebsd.org: domain of 0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@amazonses.com designates 54.240.8.56 as permitted sender) smtp.mailfrom=0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@amazonses.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=dqtolf56kk3wpt62c3jnwboqvr7iedax; d=tarsnap.com; t=1727203260;
	h=Message-ID:Date:MIME-Version:To:Cc:From:Subject:Content-Type:Content-Transfer-Encoding;
	bh=TB34AhS01NI0O2iJ+zwALQygyHILr4FgVkL8XRvBAbU=;
	b=UpYtC2YyN5UDLta+ybGwS+U45OK8oASMhE773neNnPRB3LYYsYLdKtAj3XEz08pM
	4/gXK2hmdYt2A6rs0eD5E8m1BiOqDHlzaJFYXQK7rvkpb7vDZvcvT3LTE6LwHG9XJ0N
	qrLVwrSYKr5NWX/BSCOKiI1To2VpBw9ZYsasABN0=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1727203260;
	h=Message-ID:Date:MIME-Version:To:Cc:From:Subject:Content-Type:Content-Transfer-Encoding:Feedback-ID;
	bh=TB34AhS01NI0O2iJ+zwALQygyHILr4FgVkL8XRvBAbU=;
	b=dtTiPyhtn91Bn5xJKrbQsPgsEZAul89cOK6Wyhmz2H479QhoRnPVG06vUB+1NV81
	ZWmOUs03TywJHVdUJb7RriRAo/slbKsfZoROwWdcsfKzOfW49ipgcIKA1KDE3nAPKrk
	DqUZ4DncrH3R2bI9EOWIzjzwmJLkzIuARjqsya0A=
Message-ID: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com>
Date: Tue, 24 Sep 2024 18:41:00 +0000
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-arch
List-Help: <mailto:freebsd-arch+help@freebsd.org>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Subscribe: <mailto:freebsd-arch+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-arch+unsubscribe@freebsd.org>
Sender: owner-freebsd-arch@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: freebsd-arch@freebsd.org
Cc: Li-Wen Hsu <lwhsu@freebsd.org>, Ronald Klop <ronald@FreeBSD.org>
From: Colin Percival <cperciva@tarsnap.com>
Subject: Deprecating RSA ssh host keys in 16
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Feedback-ID: ::1.us-east-1.Lv9FVjaNvvR5llaqfLoOVbo2VxOELl7cjN0AOyXnPlk=:AmazonSES
X-SES-Outgoing: 2024.09.24-54.240.8.56
X-Spamd-Result: default: False [-1.39 / 15.00];
	FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.998];
	DMARC_POLICY_ALLOW(-0.50)[tarsnap.com,none];
	FORGED_SENDER(0.30)[cperciva@tarsnap.com,0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@amazonses.com];
	R_DKIM_ALLOW(-0.20)[tarsnap.com:s=dqtolf56kk3wpt62c3jnwboqvr7iedax,amazonses.com:s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug];
	R_SPF_ALLOW(-0.20)[+ip4:54.240.0.0/18:c];
	RWL_MAILSPIKE_VERYGOOD(-0.20)[54.240.8.56:from];
	MIME_GOOD(-0.10)[text/plain];
	XM_UA_NO_VERSION(0.01)[];
	ARC_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	RCVD_IN_DNSWL_NONE(0.00)[54.240.8.56:from];
	TO_DN_SOME(0.00)[];
	ASN(0.00)[asn:14618, ipnet:54.240.8.0/21, country:US];
	DKIM_TRACE(0.00)[tarsnap.com:+,amazonses.com:+];
	MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org];
	FROM_HAS_DN(0.00)[];
	RCVD_COUNT_ZERO(0.00)[0];
	FROM_NEQ_ENVFROM(0.00)[cperciva@tarsnap.com,0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@amazonses.com];
	DWL_DNSWL_NONE(0.00)[amazonses.com:dkim];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	RCPT_COUNT_THREE(0.00)[3]
X-Rspamd-Queue-Id: 4XCpbK4V50z4jHR
X-Spamd-Bar: -

Hi all,

Last week I turned off RSA host key generation for SSH in EC2 instances,
because (a) modern SSH clients support ecdsa and ed25519 keys, and (b)
generating RSA host keys was taking over 10% of the boot time when EC2
instances booted for the first time.

I don't think we should turn off RSA host key generation in general in
15.x since for non-VM/cloud images the first boot time is less relevant
(if you're installing from an ISO image, the installer will take far
longer than the host key generation) but I think it would make sense to
deprecate RSA host keys in 15 and then turn them off by default in 16.

I'm not sure if there's any good way to announce the deprecation beyond
putting it into the release notes; we could print a warning in 15 when
RSA host keys are generated, but that will always fire regardless of
whether they're being *used* and I don't think there's any practical way
to warn specifically when RSA host keys are *used*.  So unless I'm
missing something, the deprecation would just take the form of a few lines
in the release notes.

Thoughts?

Colin Percival