Re: Deprecating RSA ssh host keys in 16
- Reply: Dag-Erling_Smørgrav : "Re: Deprecating RSA ssh host keys in 16"
- In reply to: Shawn Webb : "Re: Deprecating RSA ssh host keys in 16"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 25 Sep 2024 15:19:15 UTC
On 9/24/24 12:16, Shawn Webb wrote: > On Tue, Sep 24, 2024 at 06:41:00PM UTC, Colin Percival wrote: >> I don't think we should turn off RSA host key generation in general in >> 15.x since for non-VM/cloud images the first boot time is less relevant >> (if you're installing from an ISO image, the installer will take far >> longer than the host key generation) but I think it would make sense to >> deprecate RSA host keys in 15 and then turn them off by default in 16. >> [...] > > With commit e3f33c64ec168a48038309af0c237eda86d10c74[1], introduced on > 14 Nov 2024, HardenedBSD has disabled the generation of RSA host keys > by default. > > We haven't seen any reports of any breakage. While the change might be > considered a POLA violation, it seems pretty harmless on today's > 15-CURRENT systems. > > We have a number of 15-CURRENT users, though we don't have any hard > data, and likely pales in comparison to the FreeBSD side--enough so > that the sample is too small to be a significant or reliable data > point. It's still a very helpful data point! I've also had one response from someone with old IoT systems which only understand RSA host keys, so I think my proposed timeline of "warn people now that it will be disabled by default in 16" is the way to go. Colin Percival