From owner-freebsd-questions@freebsd.org  Sat Aug  8 04:05:42 2015
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BFF2A9B5C4C;
 Sat,  8 Aug 2015 04:05:42 +0000 (UTC)
 (envelope-from milios@ccsys.com)
Received: from cargobay.net (cargobay.net [198.178.123.147])
 by mx1.freebsd.org (Postfix) with ESMTP id 80A951FE6;
 Sat,  8 Aug 2015 04:05:41 +0000 (UTC)
 (envelope-from milios@ccsys.com)
Received: from [192.168.0.2] (cblmdm72-240-160-19.buckeyecom.net
 [72.240.160.19]) by cargobay.net (Postfix) with ESMTPSA id 69415FE5;
 Sat,  8 Aug 2015 04:04:43 +0000 (UTC)
From: "Chad J. Milios" <milios@ccsys.com>
Message-Id: <218890C8-9306-4CAF-9AEF-35664275B340@ccsys.com>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
Subject: Re: [PATCH] Please review this rc.d/sshd tiny yet ripe low hanging
 fruit for me.
Date: Sat, 8 Aug 2015 00:05:37 -0400
References: <E646DC70-E759-4680-A655-E3EB00D48489@ccsys.com>
To: freebsd-rc@freebsd.org, freebsd-security@freebsd.org,
 freebsd-questions@freebsd.org
In-Reply-To: <E646DC70-E759-4680-A655-E3EB00D48489@ccsys.com>
X-Mailer: Apple Mail (2.2102)
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Aug 2015 04:05:42 -0000

On Aug 7, 2015, at 1:46 PM, Chad J. Milios <milios@ccsys.com> wrote:
> ...i apologize for the list-bombing, if i may have a moment of your =
time:
> TLDR:
> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D159642&action=3Ddi=
ff
> =E2=80=A6..
> My Concerns:
> ONE is adding functionality allowing an admin to tweak the key =
generation sshd makes upon its first run using variables in rc.conf =
instead of the current day requirement of essentially manually =
generating those keys, hopefully the same way, putting them hopefully in =
the right place. (not hard for most of us, i know.) TWO, then, is adding =
some sort of red paint to a foot-aimed gun i came across when =
considering the variable names in rc.d/sshd and lack of mention in =
defaults/rc.conf or man 5 rc.conf.
> =E2=80=A6..

FYI, I have ported the identical functionality now to the =
security/openssl-portable and security/openssl-portable-devel ports so =
no one has to miss out. Please would you try one out and now configure =
your (-b)etter keys in a consistent way in new deployments from now on =
or upgrade yours if you are using defaults and delete existing =
/etc/ssh/ssh_host_foo_key* files manually if you intend to update them.

Knocking out little fixes like this will keep making things like sysrc =
more useful and mergemaster even more worthless, bless its tired heart. =
Help assure this works as intended in many cases with as many ssh =
options as possible. THANKS

PATCHES: either...

base system:
https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D159642&action=3Ddiff=
 =
<https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D159642&action=3Ddif=
f>

ports/security/openssl-portable
https://bz-attachments.freebsd.org/attachment.cgi?id=3D159654 =
<https://bz-attachments.freebsd.org/attachment.cgi?id=3D159654>

ports/security/openssl-portable-devel
https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D159655&action=3Ddiff=
 =
<https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D159655&action=3Ddif=
f>

Thank you all. PS here are a couple configs I=E2=80=99d like to hear =
everyones thoughts on. Let=E2=80=99s mix up the monoculture more:

openssh_rsa1_keygen_enable=3D"NO"
openssh_dsa_keygen_enable=3D"NO"
openssh_rsa_keygen_flags=3D"-b 4096"
openssh_ecdsa_keygen_flags=3D"-b 521"
openssh_ed25519_keygen_enable=3D"YES" #default

sshd_rsa1_keygen_enable=3D"NO"
sshd_dsa_keygen_enable=3D"NO"
sshd_rsa_keygen_flags=3D"-b 16384"
sshd_ecdsa_keygen_enable=3D"NO"
sshd_ed25519_keygen_enable=3D"NO"

openssh_rsa1_keygen_enable=3D"NO"
openssh_dsa_keygen_enable=3D"NO"
openssh_rsa_keygen_enable=3D"NO"
openssh_ecdsa_keygen_enable=3D"NO"
openssh_ed25519_keygen_enable=3D"YES" #default

Can we have a conversation about how best to configure things to require =
&& (and) keys instead of || (or) keys for certain/all users? Using =
sshd_config and/or PAM?

openssh_rsa1_keygen_flags=3D"-b 16384=E2=80=9D
openssh_dsa_keygen_enable=3D"YES" #default
openssh_rsa_keygen_flags=3D"-b 16384"
openssh_ecdsa_keygen_flags=3D"-b 521"
openssh_ed25519_keygen_enable=3D"YES" #default