On Aug 7, 2015, at 1:46 PM, Chad J. Milios <mil...@ccsys.com> wrote: > ...i apologize for the list-bombing, if i may have a moment of your time: > TLDR: > https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159642&action=diff > ….. > My Concerns: > ONE is adding functionality allowing an admin to tweak the key generation > sshd makes upon its first run using variables in rc.conf instead of the > current day requirement of essentially manually generating those keys, > hopefully the same way, putting them hopefully in the right place. (not hard > for most of us, i know.) TWO, then, is adding some sort of red paint to a > foot-aimed gun i came across when considering the variable names in rc.d/sshd > and lack of mention in defaults/rc.conf or man 5 rc.conf. > …..
FYI, I have ported the identical functionality now to the security/openssl-portable and security/openssl-portable-devel ports so no one has to miss out. Please would you try one out and now configure your (-b)etter keys in a consistent way in new deployments from now on or upgrade yours if you are using defaults and delete existing /etc/ssh/ssh_host_foo_key* files manually if you intend to update them. Knocking out little fixes like this will keep making things like sysrc more useful and mergemaster even more worthless, bless its tired heart. Help assure this works as intended in many cases with as many ssh options as possible. THANKS PATCHES: either... base system: https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159642&action=diff <https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159642&action=diff> ports/security/openssl-portable https://bz-attachments.freebsd.org/attachment.cgi?id=159654 <https://bz-attachments.freebsd.org/attachment.cgi?id=159654> ports/security/openssl-portable-devel https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159655&action=diff <https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159655&action=diff> Thank you all. PS here are a couple configs I’d like to hear everyones thoughts on. Let’s mix up the monoculture more: openssh_rsa1_keygen_enable="NO" openssh_dsa_keygen_enable="NO" openssh_rsa_keygen_flags="-b 4096" openssh_ecdsa_keygen_flags="-b 521" openssh_ed25519_keygen_enable="YES" #default sshd_rsa1_keygen_enable="NO" sshd_dsa_keygen_enable="NO" sshd_rsa_keygen_flags="-b 16384" sshd_ecdsa_keygen_enable="NO" sshd_ed25519_keygen_enable="NO" openssh_rsa1_keygen_enable="NO" openssh_dsa_keygen_enable="NO" openssh_rsa_keygen_enable="NO" openssh_ecdsa_keygen_enable="NO" openssh_ed25519_keygen_enable="YES" #default Can we have a conversation about how best to configure things to require && (and) keys instead of || (or) keys for certain/all users? Using sshd_config and/or PAM? openssh_rsa1_keygen_flags="-b 16384” openssh_dsa_keygen_enable="YES" #default openssh_rsa_keygen_flags="-b 16384" openssh_ecdsa_keygen_flags="-b 521" openssh_ed25519_keygen_enable="YES" #default _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
