Add rc.conf variables to control host key length

Doug Barton dougb at
Sun Jun 24 22:09:59 UTC 2012

On 06/24/2012 09:07, Robert Simmons wrote:
> Here is a set of patches that add functionality to rc.conf allowing
> users an easy way to control the length of the host keys used with ssh

Sorry, this doesn't belong in rc.d. The defaults are more than
sufficient for the overwhelming majority of FreeBSD users. As has
already been pointed out to you, the key can easily be changed after the
system has booted for the first time.

Knobs in rc.d should be for things that users are likely to need to
configure, and/or need to be run often. Host key generation happens
exactly one time in the life of a system, so this is neither.

... and yes, I stay very up to date on current discussions of
cryptographic topics, including RSA key lengths. If you can point to a
realistic threat model that would allow a 2048 bit key to be compromised
where a larger RSA key would not, it would be worthwhile to have a
discussion about changing the defaults. But it still wouldn't belong in

hope this helps,



    This .signature sanitized for your protection

More information about the freebsd-security mailing list