Add rc.conf variables to control host key length
J. Hellenthal
jhellenthal at dataix.net
Sun Jun 24 18:15:47 UTC 2012
On Sun, Jun 24, 2012 at 01:26:21PM -0400, Robert Simmons wrote:
> On Sun, Jun 24, 2012 at 12:59 PM, J. Hellenthal <jhellenthal at dataix.net> wrote:
> > These are more then sufficient for any normal ssh use.
>
> I'm sorry if I sound rude, but I wanted to have a bit more of a
> substantive discussion than quoting the man pages. Especially since
> what you are quoting dates back to a change to
> src/crypto/openssh/ssh-keygen.1 dated the following:
> Sun Sep 11 16:50:35 2005 UTC (6 years, 9 months ago) by des
>
> Being that the old "considered sufficient" of 1024 was added at the
> following revision date:
> Thu Feb 24 14:29:46 2000 UTC (12 years, 4 months ago) by markm
>
There is nothing stopping you from changing a key after the system has
booted e.g. by using the rc script itself if you feel it is not
sufficient.
Given OpenBSD is usually always on the far safe side of things taking
the security approach before simplicity I would extremely agree that it
is more than sufficient.
But then again what is good for the masses it not always good enough for
the security paranoid and giving credit to such is what keeps everyone
safe.
( /usr/local/etc/rc.d/openssh keygen ) # regenerate your keys
Which should generate a new set of keys, keeping you safe for another X
amount of years.
- or -
ssh-keygen -f rsa -b [NNNN] -f /usr/local/etc/ssh/ssh_host_rsa_key
But the intitial key being the default? its sufficient to get you in and
started on a remote system.
> I would say that we are exactly due for a real discussion as to what
> should be considered sufficient with regards to modern processors and
> GPUs.
Unfortunately I see that as a different thread "Hardware potential to
duplicate existing host keys... RSA DSA ECDSA"
--
- (2^(N-1))
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20120624/629ee633/attachment.pgp
More information about the freebsd-security
mailing list