Date: Sat, 8 Aug 2015 00:05:37 -0400 From: "Chad J. Milios" <milios@ccsys.com> To: freebsd-rc@freebsd.org, freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: [PATCH] Please review this rc.d/sshd tiny yet ripe low hanging fruit for me. Message-ID: <218890C8-9306-4CAF-9AEF-35664275B340@ccsys.com> In-Reply-To: <E646DC70-E759-4680-A655-E3EB00D48489@ccsys.com> References: <E646DC70-E759-4680-A655-E3EB00D48489@ccsys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 7, 2015, at 1:46 PM, Chad J. Milios <milios@ccsys.com> wrote: > ...i apologize for the list-bombing, if i may have a moment of your = time: > TLDR: > https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D159642&action=3Ddi= ff > =E2=80=A6.. > My Concerns: > ONE is adding functionality allowing an admin to tweak the key = generation sshd makes upon its first run using variables in rc.conf = instead of the current day requirement of essentially manually = generating those keys, hopefully the same way, putting them hopefully in = the right place. (not hard for most of us, i know.) TWO, then, is adding = some sort of red paint to a foot-aimed gun i came across when = considering the variable names in rc.d/sshd and lack of mention in = defaults/rc.conf or man 5 rc.conf. > =E2=80=A6.. FYI, I have ported the identical functionality now to the = security/openssl-portable and security/openssl-portable-devel ports so = no one has to miss out. Please would you try one out and now configure = your (-b)etter keys in a consistent way in new deployments from now on = or upgrade yours if you are using defaults and delete existing = /etc/ssh/ssh_host_foo_key* files manually if you intend to update them. Knocking out little fixes like this will keep making things like sysrc = more useful and mergemaster even more worthless, bless its tired heart. = Help assure this works as intended in many cases with as many ssh = options as possible. THANKS PATCHES: either... base system: https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D159642&action=3Ddiff= = <https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D159642&action=3Ddif= f> ports/security/openssl-portable https://bz-attachments.freebsd.org/attachment.cgi?id=3D159654 = <https://bz-attachments.freebsd.org/attachment.cgi?id=3D159654>; ports/security/openssl-portable-devel https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D159655&action=3Ddiff= = <https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D159655&action=3Ddif= f> Thank you all. PS here are a couple configs I=E2=80=99d like to hear = everyones thoughts on. Let=E2=80=99s mix up the monoculture more: openssh_rsa1_keygen_enable=3D"NO" openssh_dsa_keygen_enable=3D"NO" openssh_rsa_keygen_flags=3D"-b 4096" openssh_ecdsa_keygen_flags=3D"-b 521" openssh_ed25519_keygen_enable=3D"YES" #default sshd_rsa1_keygen_enable=3D"NO" sshd_dsa_keygen_enable=3D"NO" sshd_rsa_keygen_flags=3D"-b 16384" sshd_ecdsa_keygen_enable=3D"NO" sshd_ed25519_keygen_enable=3D"NO" openssh_rsa1_keygen_enable=3D"NO" openssh_dsa_keygen_enable=3D"NO" openssh_rsa_keygen_enable=3D"NO" openssh_ecdsa_keygen_enable=3D"NO" openssh_ed25519_keygen_enable=3D"YES" #default Can we have a conversation about how best to configure things to require = && (and) keys instead of || (or) keys for certain/all users? Using = sshd_config and/or PAM? openssh_rsa1_keygen_flags=3D"-b 16384=E2=80=9D openssh_dsa_keygen_enable=3D"YES" #default openssh_rsa_keygen_flags=3D"-b 16384" openssh_ecdsa_keygen_flags=3D"-b 521" openssh_ed25519_keygen_enable=3D"YES" #default
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?218890C8-9306-4CAF-9AEF-35664275B340>