[PATCH] Please review this rc.d/sshd tiny yet ripe low hanging fruit for me.

Chad J. Milios milios at ccsys.com
Sat Aug 8 04:05:42 UTC 2015 

On Aug 7, 2015, at 1:46 PM, Chad J. Milios <milios at ccsys.com> wrote:
> ...i apologize for the list-bombing, if i may have a moment of your time:
> TLDR:
> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159642&action=diff
> …..
> My Concerns:
> ONE is adding functionality allowing an admin to tweak the key generation sshd makes upon its first run using variables in rc.conf instead of the current day requirement of essentially manually generating those keys, hopefully the same way, putting them hopefully in the right place. (not hard for most of us, i know.) TWO, then, is adding some sort of red paint to a foot-aimed gun i came across when considering the variable names in rc.d/sshd and lack of mention in defaults/rc.conf or man 5 rc.conf.
> …..

FYI, I have ported the identical functionality now to the security/openssl-portable and security/openssl-portable-devel ports so no one has to miss out. Please would you try one out and now configure your (-b)etter keys in a consistent way in new deployments from now on or upgrade yours if you are using defaults and delete existing /etc/ssh/ssh_host_foo_key* files manually if you intend to update them.

Knocking out little fixes like this will keep making things like sysrc more useful and mergemaster even more worthless, bless its tired heart. Help assure this works as intended in many cases with as many ssh options as possible. THANKS

PATCHES: either...

base system:
https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159642&action=diff <https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159642&action=diff>

ports/security/openssl-portable
https://bz-attachments.freebsd.org/attachment.cgi?id=159654 <https://bz-attachments.freebsd.org/attachment.cgi?id=159654>

ports/security/openssl-portable-devel
https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159655&action=diff <https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159655&action=diff>

Thank you all. PS here are a couple configs I’d like to hear everyones thoughts on. Let’s mix up the monoculture more:

openssh_rsa1_keygen_enable="NO"
openssh_dsa_keygen_enable="NO"
openssh_rsa_keygen_flags="-b 4096"
openssh_ecdsa_keygen_flags="-b 521"
openssh_ed25519_keygen_enable="YES" #default

sshd_rsa1_keygen_enable="NO"
sshd_dsa_keygen_enable="NO"
sshd_rsa_keygen_flags="-b 16384"
sshd_ecdsa_keygen_enable="NO"
sshd_ed25519_keygen_enable="NO"

openssh_rsa1_keygen_enable="NO"
openssh_dsa_keygen_enable="NO"
openssh_rsa_keygen_enable="NO"
openssh_ecdsa_keygen_enable="NO"
openssh_ed25519_keygen_enable="YES" #default

Can we have a conversation about how best to configure things to require && (and) keys instead of || (or) keys for certain/all users? Using sshd_config and/or PAM?

openssh_rsa1_keygen_flags="-b 16384”
openssh_dsa_keygen_enable="YES" #default
openssh_rsa_keygen_flags="-b 16384"
openssh_ecdsa_keygen_flags="-b 521"
openssh_ed25519_keygen_enable="YES" #default

More information about the freebsd-security mailing list