Bug 202169 - [patch] security/openssh-portable add rc.conf vars for flags to ssh-keygen; remove rsa1
Summary: [patch] security/openssh-portable add rc.conf vars for flags to ssh-keygen; r...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Bryan Drewery
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2015-08-08 02:29 UTC by Chad Jacob Milios
Modified: 2022-07-27 14:04 UTC (History)
6 users (show)

See Also:


Attachments
svn diff of /usr/ports/security/openssh-portable (3.84 KB, text/plain)
2015-08-08 02:29 UTC, Chad Jacob Milios
no flags Details
svn diff of /usr/ports/security/openssh-portable-devel (3.87 KB, patch)
2015-08-08 02:51 UTC, Chad Jacob Milios
no flags Details | Diff
svn diff of /usr/ports/security/openssh-portable (3.84 KB, patch)
2015-08-08 12:37 UTC, Chad Jacob Milios
no flags Details | Diff
svn diff of /usr/ports/security/openssl-portable-devel (3.88 KB, patch)
2015-08-08 12:40 UTC, Chad Jacob Milios
no flags Details | Diff
svn diff of /usr/ports/security/openssh-portable (3.69 KB, patch)
2015-09-01 16:06 UTC, Chad Jacob Milios
no flags Details | Diff
svn diff of /usr/ports/security/openssl-portable-devel (3.72 KB, patch)
2015-09-01 16:08 UTC, Chad Jacob Milios
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Chad Jacob Milios 2015-08-08 02:29:54 UTC
Created attachment 159654 [details]
svn diff of /usr/ports/security/openssh-portable

implements identical functionality to https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159642&action=diff which is for base rc.d/sshd

This port update also increases the default on RSA version 1 keys from 1024 to 2048 bits. Is there any lasting compelling reason for that explicit low setting in the rc.d script? Using the 2048 implicit default brings us in line with the present base defaults of how sshd starts up.
Comment 1 Chad Jacob Milios 2015-08-08 02:51:03 UTC
Created attachment 159655 [details]
svn diff of /usr/ports/security/openssh-portable-devel

same thing for the -devel port
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2015-08-08 07:45:36 UTC
s/openssl/openssh/g and assign.
Comment 3 Chad Jacob Milios 2015-08-08 12:37:47 UTC
Created attachment 159665 [details]
svn diff of /usr/ports/security/openssh-portable

DOH!! did i title this PR with openssL-portable? it was late last night.

i just found a s/skip_ecdsa= skip_ecdsa=/skip_ecdsa= skip_ed25519=/ apparently my copy-paste-fu was lacking.

comb through these please and/or feel free to take liberties with the style and implementation to match base and/or reduce enumerations of the keys.
Comment 4 Chad Jacob Milios 2015-08-08 12:40:26 UTC
Created attachment 159666 [details]
svn diff of /usr/ports/security/openssl-portable-devel

i just found a s/skip_ecdsa= skip_ecdsa=/skip_ecdsa= skip_ed25519=/ apparently my copy-paste-fu was lacking.

comb through these please and/or feel free to take liberties with the style and implementation to match base and/or reduce enumerations of the keys.

take NOTE of also in base: https://bugs.freebsd.org/bugzilla/attachment.cgi?id=159642&action=diff
Comment 5 Chad Jacob Milios 2015-09-01 16:06:53 UTC
Created attachment 160593 [details]
svn diff of /usr/ports/security/openssh-portable

incorporates fix to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202792

# svn status
M       Makefile
M       files/openssh.in
Comment 6 Chad Jacob Milios 2015-09-01 16:08:27 UTC
Created attachment 160594 [details]
svn diff of /usr/ports/security/openssl-portable-devel

svn diff of /usr/ports/security/openssh-portable-devel

incorporates fix to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202792

# svn status
M       Makefile
M       files/openssh.in
Comment 7 commit-hook freebsd_committer freebsd_triage 2015-09-24 21:55:07 UTC
A commit references this bug:

Author: bdrewery
Date: Thu Sep 24 21:54:41 UTC 2015
New revision: 397771
URL: https://svnweb.freebsd.org/changeset/ports/397771

Log:
  Stop trying to create the RSA protocol 1 key from the rc.d file.  It is no
  longer supported by default since 7.0. [1]

  I do plan to make this configurable based on PR 202169 [2] soon.

  PR:		202792 [1]
  PR:		202169 [2]
  Submitted by:	chrysalis@chrysalisnet.org [1]

Changes:
  head/security/openssh-portable/Makefile
  head/security/openssh-portable/files/openssh.in
Comment 8 Bryan Drewery freebsd_committer freebsd_triage 2015-09-24 21:56:48 UTC
I committed PR 202792 for now but do plan to take your change. I may commit
it to the base version as well (PR 202153).

I just need more time to review and test it.
Comment 9 Bryan Drewery freebsd_committer freebsd_triage 2015-09-24 21:57:05 UTC
[There's no need to rebase your patch, I can handle the conflict I made]
Comment 10 Walter Schwarzenfeld freebsd_triage 2018-01-12 08:03:10 UTC
Is this still relevant?
Comment 11 Chad Jacob Milios 2018-01-12 11:30:05 UTC
i still use this patch everywhere because i like my deployments to auto generate strong keys and i distrust DSA altogether.

the openssh-portable-devel port has been dropped
Comment 12 Walter Schwarzenfeld freebsd_triage 2019-08-16 13:05:01 UTC
Any news here?
Comment 13 commit-hook freebsd_committer freebsd_triage 2022-03-03 19:26:26 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ae66cffc19f357cbd51d5841c9b110a9ffd63e32

commit ae66cffc19f357cbd51d5841c9b110a9ffd63e32
Author:     Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2022-03-03 18:27:34 +0000
Commit:     Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2022-03-03 19:25:36 +0000

    security/openssh-portable: Update to 8.9p1

    - Unbreak GSSAPI [1]
    - rc.d/openssh: Allow modifying host key generation [2]

    Changes: https://www.openssh.com/txt/release-8.9
    PR:             259909 [1]
    PR:             202169 [2]
    Submitted by:   Rick Miller [1]
    Submitted by:   Chad Jacob Milios [2]

 security/openssh-portable/Makefile                 |  8 ++---
 security/openssh-portable/distinfo                 |  8 +++--
 .../files/extra-patch-gssapi-auth2-gss.c (new)     | 19 +++++++++++
 .../files/extra-patch-gssapi-sshconnect2.c (gone)  | 12 -------
 security/openssh-portable/files/extra-patch-hpn    | 16 ++++-----
 .../openssh-portable/files/extra-patch-tcpwrappers | 12 +++----
 security/openssh-portable/files/openssh.in         | 39 +++++++++++++++-------
 .../files/patch-platform-tracing.c (gone)          | 25 --------------
 security/openssh-portable/files/patch-ssh-agent.c  | 22 ++++++------
 9 files changed, 80 insertions(+), 81 deletions(-)
Comment 14 Bryan Drewery freebsd_committer freebsd_triage 2022-03-03 19:26:33 UTC
Thanks! Sorry this got dropped for so long. No good reason.
Comment 15 Bryan Drewery freebsd_committer freebsd_triage 2022-03-03 19:35:41 UTC
On second thought I am going to remove the "_keygen" part of the rcvars so this more closely matches the base names of the same feature.

So it will now be this:

: ${openssh_dsa_enable="YES"}
: ${openssh_dsa_flags=""}
: ${openssh_rsa_enable="YES"}
: ${openssh_rsa_flags=""}
: ${openssh_ecdsa_enable="YES"}
: ${openssh_ecdsa_flags=""}
: ${openssh_ed25519_enable="YES"}
: ${openssh_ed25519_flags=""}
Comment 16 commit-hook freebsd_committer freebsd_triage 2022-03-03 19:37:31 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1249b096fa52847f13a956ee0364b2a14c60e9b5

commit 1249b096fa52847f13a956ee0364b2a14c60e9b5
Author:     Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2022-03-03 19:35:43 +0000
Commit:     Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2022-03-03 19:37:07 +0000

    security/openssh-portable: Tweak new rc var names

    Commit ae66cffc19f357cbd5 added new rc vars to control generating of
    host keys [1].  Rename these to more closely match the base version
    before it becomes widely adopted.

    PR:             202169 [1]
    PR:             209948 [FYI]

 security/openssh-portable/files/openssh.in | 40 +++++++++++++++---------------
 1 file changed, 20 insertions(+), 20 deletions(-)
Comment 17 Jamie Landeg-Jones 2022-03-05 12:57:18 UTC
(In reply to Bryan Drewery from comment #15)

The base names are wrong. 

Unfortunately, the line:

openssh_dsa_enable="NO"

does not disable dsa in openssh, as it implies. (same for the other keys)
Comment 18 Bryan Drewery freebsd_committer freebsd_triage 2022-03-07 22:37:14 UTC
(In reply to Jamie Landeg-Jones from comment #17)

What do you mean they are wrong?
Comment 19 Bryan Drewery freebsd_committer freebsd_triage 2022-03-07 23:03:50 UTC
(In reply to Jamie Landeg-Jones from comment #17)

I assume you mean that openssh_dsa_enable=NO does not disable DSA entirely, like with ssh outbound. I added a comment explaining what they are for just now.
Comment 20 commit-hook freebsd_committer freebsd_triage 2022-03-07 23:04:07 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=21cedc6ee57bc9321c9cb5ebe21bdf2c4bc154ee

commit 21cedc6ee57bc9321c9cb5ebe21bdf2c4bc154ee
Author:     Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2022-03-07 22:57:08 +0000
Commit:     Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2022-03-07 23:02:47 +0000

    security/openssh-portable: Add comment in openssh.in about host keys

    Commit ae66cffc19f added some rc vars to allow disabling host keys.
    The naming caused some confusion. Attempt to address that with a
    comment since these are not documented anywhere else.

    PR:             202169

 security/openssh-portable/Makefile         | 2 +-
 security/openssh-portable/files/openssh.in | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
Comment 21 Joshua Kinard 2022-03-08 04:35:27 UTC
(In reply to Bryan Drewery from comment #15)

You will likely also need two new vars for the XMSS post-quantum algorithm.  It's not mentioned in the OpenSSH manpages as yet, but I believe will be generated if ssh-keygen -A is invoked.

Will need $openssh_xmss_enable at a minimum.  I am unsure, due to lack of information on it, if XMSS takes any flags, or if it is more like Ed25519.
Comment 22 Jamie Landeg-Jones 2022-03-08 19:56:39 UTC
(In reply to Bryan Drewery from comment #19)

I wasn't thinking of outbound, that would be too pedantic even for me :-) besides you could legitimately point out that the rc.conf settings are for the daemons.

No, I was thinking of inbound - if the keys already exist, and someone then sets openssh_xxx_enable=NO

then nothing changes.  xxx will still be enabled for sshd

Cheers, Jamie

P.S. Sorry if my original message appeared curt - it wasn't meant to.
Comment 23 Bryan Drewery freebsd_committer freebsd_triage 2022-03-10 20:45:22 UTC
(In reply to Jamie Landeg-Jones from comment #22)

Very good point. Perhaps we should rename these back (with compat) and do the same in base. I don't have time for that myself right now but anyone could do it.
Comment 24 Jamie Landeg-Jones 2022-03-15 15:51:15 UTC
(In reply to Bryan Drewery from comment #23)


I'll have a go. Should I put it on phabricator, or is that for committers only?
Comment 25 Mateusz Piotrowski freebsd_committer freebsd_triage 2022-07-26 15:09:46 UTC
(In reply to Jamie Landeg-Jones from comment #24)
It is for the whole FreeBSD community. Feel free to create an account there.
Comment 26 Jamie Landeg-Jones 2022-07-27 14:04:03 UTC
(In reply to Mateusz Piotrowski from comment #25)

Thanks for the reply. I already have a phabricator account, and I've been involved with some discussions on there in the past. I just wasn't sure if creating a new issue on there was for just committers, so thanks for the clarification.

Cheers, Jamie