From nobody Fri Sep 27 17:21:30 2024
X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XFchS52vPz5YDbv
	for <freebsd-arch@mlmmj.nyi.freebsd.org>; Fri, 27 Sep 2024 17:21:44 +0000 (UTC)
	(envelope-from carpeddiem@gmail.com)
Received: from mail-io1-f50.google.com (mail-io1-f50.google.com [209.85.166.50])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XFchR6Rddz49Rq;
	Fri, 27 Sep 2024 17:21:43 +0000 (UTC)
	(envelope-from carpeddiem@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.50 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com;
	dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none)
Received: by mail-io1-f50.google.com with SMTP id ca18e2360f4ac-82aa3f65864so104449739f.2;
        Fri, 27 Sep 2024 10:21:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1727457702; x=1728062502;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=lOgyg+7QPD1ALXhmrk7+vfM5uvuJ6ky4gR0IHSJ/Gdw=;
        b=SLobAdmmEX1OsG3Nhsy9j/CllPDFl1euNl0r/qbGAnKby/qqPQOdDjZSOPqH1vyqzh
         HNzgQHzrW75EFjh0vBhK5MUkhkUKmcC++1h+p6vJ/Cwbznl2vAp3QeHpRD5IyRf5aST+
         I6WLNbRrnFUIyRQU4hG4r7zXgdLxnXDMJutQhGV7Cp7jD2kTlC2s7opc+dB1UBnVe1GZ
         80byEwUmrbXSSQKFG735azYZv6a5qWuqZLCnscayc+Qo7yIfow7NjF60gffhGbVrDxht
         Dk/Od2f7xwu1Bc1UDCQkOnBgdyQyLdxVDpMe/nHKgRWX5njFiFlStc06jlHrkSvaMlC9
         ZjPQ==
X-Forwarded-Encrypted: i=1; AJvYcCUIVX984LT2Eu21ozm8mj9KhvApEnxvo33m8cvVxwaB2GTtE2bdNK+PjIDA+xftbt0qVQ3lpg==@freebsd.org, AJvYcCUMx01FonpptjvAtuVn2DK1nZ4S7rwkaIhvYJYaHi+qP6gfHFSsxzO8lodAkdr+dRugxSzZO2sc@freebsd.org
X-Gm-Message-State: AOJu0Yzben3dH/HZTKwZGMEs3q5eRCcgPX2ZjhwdoDfftEhVhRdObvF1
	xxtRkuokGq/a/T2wGYu8TwWgt/Lto31uLUePy2Q/bX2YO1qYGtIwMpp8VUCCkrXswnRLhEJZVn7
	06J29m0c+mXCmtN2qV7AQRa4Rd12hVQ==
X-Google-Smtp-Source: AGHT+IFc2eckQ3Vl9FJ11GhXfNIyUXfmGANzLxdaqwSz2IwMcn7mJEWSU9LZwcpepzU/AwoAH+KSxLLuuKyr2HOXT+M=
X-Received: by 2002:a05:6602:6a8c:b0:831:fe52:c602 with SMTP id
 ca18e2360f4ac-8349327138amr387646239f.15.1727457702451; Fri, 27 Sep 2024
 10:21:42 -0700 (PDT)
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-arch
List-Help: <mailto:freebsd-arch+help@freebsd.org>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Subscribe: <mailto:freebsd-arch+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-arch+unsubscribe@freebsd.org>
Sender: owner-freebsd-arch@FreeBSD.org
MIME-Version: 1.0
References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com>
In-Reply-To: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com>
From: Ed Maste <emaste@freebsd.org>
Date: Fri, 27 Sep 2024 13:21:30 -0400
Message-ID: <CAPyFy2DgNNfrL-qPYSjeoyo7LErVU9AAhfc7EkFZiQp6Ykhq+Q@mail.gmail.com>
Subject: Re: Deprecating RSA ssh host keys in 16
To: Colin Percival <cperciva@tarsnap.com>
Cc: freebsd-arch@freebsd.org, Li-Wen Hsu <lwhsu@freebsd.org>, 
	Ronald Klop <ronald@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-Spamd-Result: default: False [-1.84 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com];
	R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c];
	MIME_GOOD(-0.10)[text/plain];
	DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none];
	NEURAL_SPAM_SHORT(0.06)[0.064];
	ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
	ARC_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	FREEFALL_USER(0.00)[carpeddiem];
	RCVD_COUNT_ONE(0.00)[1];
	TO_DN_SOME(0.00)[];
	R_DKIM_NA(0.00)[];
	MISSING_XM_UA(0.00)[];
	FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com];
	FROM_HAS_DN(0.00)[];
	RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.50:from];
	RCVD_IN_DNSWL_NONE(0.00)[209.85.166.50:from];
	RCVD_TLS_LAST(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org];
	RCPT_COUNT_THREE(0.00)[4]
X-Rspamd-Queue-Id: 4XFchR6Rddz49Rq
X-Spamd-Bar: -

On Tue, 24 Sept 2024 at 14:41, Colin Percival <cperciva@tarsnap.com> wrote:
>
> I don't think we should turn off RSA host key generation in general in
> 15.x since for non-VM/cloud images the first boot time is less relevant
> (if you're installing from an ISO image, the installer will take far
> longer than the host key generation) but I think it would make sense to
> deprecate RSA host keys in 15 and then turn them off by default in 16.

This might be overly conservative, and users who need RSA host keys
can trivially enable them.

I'm also not fond of having different behaviour in a cloud environment
vs when using the installer -- imagine a user with an old ssh client
that has trouble connecting to FreeBSD servers, but only those hosted
on EC2.