Created attachment 159654 [details] svn diff of /usr/ports/security/openssh-portable implements identical functionality to https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159642&action=diff which is for base rc.d/sshd This port update also increases the default on RSA version 1 keys from 1024 to 2048 bits. Is there any lasting compelling reason for that explicit low setting in the rc.d script? Using the 2048 implicit default brings us in line with the present base defaults of how sshd starts up.
Created attachment 159655 [details] svn diff of /usr/ports/security/openssh-portable-devel same thing for the -devel port
s/openssl/openssh/g and assign.
Created attachment 159665 [details] svn diff of /usr/ports/security/openssh-portable DOH!! did i title this PR with openssL-portable? it was late last night. i just found a s/skip_ecdsa= skip_ecdsa=/skip_ecdsa= skip_ed25519=/ apparently my copy-paste-fu was lacking. comb through these please and/or feel free to take liberties with the style and implementation to match base and/or reduce enumerations of the keys.
Created attachment 159666 [details] svn diff of /usr/ports/security/openssl-portable-devel i just found a s/skip_ecdsa= skip_ecdsa=/skip_ecdsa= skip_ed25519=/ apparently my copy-paste-fu was lacking. comb through these please and/or feel free to take liberties with the style and implementation to match base and/or reduce enumerations of the keys. take NOTE of also in base: https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159642&action=diff
Created attachment 160593 [details] svn diff of /usr/ports/security/openssh-portable incorporates fix to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202792 # svn status M Makefile M files/openssh.in
Created attachment 160594 [details] svn diff of /usr/ports/security/openssl-portable-devel svn diff of /usr/ports/security/openssh-portable-devel incorporates fix to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202792 # svn status M Makefile M files/openssh.in
A commit references this bug: Author: bdrewery Date: Thu Sep 24 21:54:41 UTC 2015 New revision: 397771 URL: https://svnweb.freebsd.org/changeset/ports/397771 Log: Stop trying to create the RSA protocol 1 key from the rc.d file. It is no longer supported by default since 7.0. [1] I do plan to make this configurable based on PR 202169 [2] soon. PR: 202792 [1] PR: 202169 [2] Submitted by: chrysalis@chrysalisnet.org [1] Changes: head/security/openssh-portable/Makefile head/security/openssh-portable/files/openssh.in
I committed PR 202792 for now but do plan to take your change. I may commit it to the base version as well (PR 202153). I just need more time to review and test it.
[There's no need to rebase your patch, I can handle the conflict I made]
Is this still relevant?
i still use this patch everywhere because i like my deployments to auto generate strong keys and i distrust DSA altogether. the openssh-portable-devel port has been dropped
Any news here?
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ae66cffc19f357cbd51d5841c9b110a9ffd63e32 commit ae66cffc19f357cbd51d5841c9b110a9ffd63e32 Author: Bryan Drewery <bdrewery@FreeBSD.org> AuthorDate: 2022-03-03 18:27:34 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2022-03-03 19:25:36 +0000 security/openssh-portable: Update to 8.9p1 - Unbreak GSSAPI [1] - rc.d/openssh: Allow modifying host key generation [2] Changes: https://www.openssh.com/txt/release-8.9 PR: 259909 [1] PR: 202169 [2] Submitted by: Rick Miller [1] Submitted by: Chad Jacob Milios [2] security/openssh-portable/Makefile | 8 ++--- security/openssh-portable/distinfo | 8 +++-- .../files/extra-patch-gssapi-auth2-gss.c (new) | 19 +++++++++++ .../files/extra-patch-gssapi-sshconnect2.c (gone) | 12 ------- security/openssh-portable/files/extra-patch-hpn | 16 ++++----- .../openssh-portable/files/extra-patch-tcpwrappers | 12 +++---- security/openssh-portable/files/openssh.in | 39 +++++++++++++++------- .../files/patch-platform-tracing.c (gone) | 25 -------------- security/openssh-portable/files/patch-ssh-agent.c | 22 ++++++------ 9 files changed, 80 insertions(+), 81 deletions(-)
Thanks! Sorry this got dropped for so long. No good reason.
On second thought I am going to remove the "_keygen" part of the rcvars so this more closely matches the base names of the same feature. So it will now be this: : ${openssh_dsa_enable="YES"} : ${openssh_dsa_flags=""} : ${openssh_rsa_enable="YES"} : ${openssh_rsa_flags=""} : ${openssh_ecdsa_enable="YES"} : ${openssh_ecdsa_flags=""} : ${openssh_ed25519_enable="YES"} : ${openssh_ed25519_flags=""}
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=1249b096fa52847f13a956ee0364b2a14c60e9b5 commit 1249b096fa52847f13a956ee0364b2a14c60e9b5 Author: Bryan Drewery <bdrewery@FreeBSD.org> AuthorDate: 2022-03-03 19:35:43 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2022-03-03 19:37:07 +0000 security/openssh-portable: Tweak new rc var names Commit ae66cffc19f357cbd5 added new rc vars to control generating of host keys [1]. Rename these to more closely match the base version before it becomes widely adopted. PR: 202169 [1] PR: 209948 [FYI] security/openssh-portable/files/openssh.in | 40 +++++++++++++++--------------- 1 file changed, 20 insertions(+), 20 deletions(-)
(In reply to Bryan Drewery from comment #15) The base names are wrong. Unfortunately, the line: openssh_dsa_enable="NO" does not disable dsa in openssh, as it implies. (same for the other keys)
(In reply to Jamie Landeg-Jones from comment #17) What do you mean they are wrong?
(In reply to Jamie Landeg-Jones from comment #17) I assume you mean that openssh_dsa_enable=NO does not disable DSA entirely, like with ssh outbound. I added a comment explaining what they are for just now.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=21cedc6ee57bc9321c9cb5ebe21bdf2c4bc154ee commit 21cedc6ee57bc9321c9cb5ebe21bdf2c4bc154ee Author: Bryan Drewery <bdrewery@FreeBSD.org> AuthorDate: 2022-03-07 22:57:08 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2022-03-07 23:02:47 +0000 security/openssh-portable: Add comment in openssh.in about host keys Commit ae66cffc19f added some rc vars to allow disabling host keys. The naming caused some confusion. Attempt to address that with a comment since these are not documented anywhere else. PR: 202169 security/openssh-portable/Makefile | 2 +- security/openssh-portable/files/openssh.in | 1 + 2 files changed, 2 insertions(+), 1 deletion(-)
(In reply to Bryan Drewery from comment #15) You will likely also need two new vars for the XMSS post-quantum algorithm. It's not mentioned in the OpenSSH manpages as yet, but I believe will be generated if ssh-keygen -A is invoked. Will need $openssh_xmss_enable at a minimum. I am unsure, due to lack of information on it, if XMSS takes any flags, or if it is more like Ed25519.
(In reply to Bryan Drewery from comment #19) I wasn't thinking of outbound, that would be too pedantic even for me :-) besides you could legitimately point out that the rc.conf settings are for the daemons. No, I was thinking of inbound - if the keys already exist, and someone then sets openssh_xxx_enable=NO then nothing changes. xxx will still be enabled for sshd Cheers, Jamie P.S. Sorry if my original message appeared curt - it wasn't meant to.
(In reply to Jamie Landeg-Jones from comment #22) Very good point. Perhaps we should rename these back (with compat) and do the same in base. I don't have time for that myself right now but anyone could do it.
(In reply to Bryan Drewery from comment #23) I'll have a go. Should I put it on phabricator, or is that for committers only?
(In reply to Jamie Landeg-Jones from comment #24) It is for the whole FreeBSD community. Feel free to create an account there.
(In reply to Mateusz Piotrowski from comment #25) Thanks for the reply. I already have a phabricator account, and I've been involved with some discussions on there in the past. I just wasn't sure if creating a new issue on there was for just committers, so thanks for the clarification. Cheers, Jamie