Add rc.conf variables to control host key length
Robert Simmons
rsimmons0 at gmail.com
Sun Jun 24 17:14:09 UTC 2012
On Sun, Jun 24, 2012 at 12:34 PM, Bjoern A. Zeeb
<bzeeb-lists at lists.zabbadoz.net> wrote:
> On 24. Jun 2012, at 16:07 , Robert Simmons wrote:
>> Here is a set of patches that add functionality to rc.conf allowing
>> users an easy way to control the length of the host keys used with ssh
>> (specifically RSA and ECDSA used with protocol version 2).
>
> Created for, not used with -- right?
Yes, created for. I have updated the patch to reflect this and
attached the new patch. Good eye, thanks.
> The used with is controlled in sshd_config and if the key is not there
> but it's enabled in sshd_config you'll get a warning on boot which is
> very annoying.
No. Actually, "used with" is not controlled in sshd_config. Only the
path to the key files is controlled by that config.
The sshd_flags variable in rc.conf is what controls "used with". For
example, on my installs, I only want to use the ECDSA key and not
present any other protocol v2 keys to clients, thereby restricting it
to ECDSA. The only way to go about this is to set the following:
sshd_flags="-h /etc/ssh/ssh_host_ecdsa_key"
Take a look at sshd(8), specifically the -h option for clarification.
>> I would like to also discuss the merits of changing FreeBSD's default
>> behavior to using 4096 bit RSA keys and 521 bit ECDSA keys.
>>
>> I have refrained from changing FreeBSD's default behavior in these
>> patches and stuck to just adding configurability.
>
> Do we differ from what the OpenSSH defaults are?
No, we don't differ from OpenSSH defaults in regards to key sizes.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rc.conf.5.diff
Type: application/octet-stream
Size: 1194 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20120624/d0c98e21/rc.conf.5.obj
More information about the freebsd-security
mailing list