Re: Why generate SSH keys at startup?
On Thu, Mar 12, 2015 at 08:27:03PM +, Christian Weisgerber wrote: On 2015-03-12, John Long codeb...@inbox.lv wrote: By setting PubkeyAcceptedKeyTypes accordingly in sshd_config. Thanks, I looked and looked and could not find it in the man page. It appears to be only in -current? Is this possible in prior versions (i.e. undocumented but works) or is it totally new? Unfortunately, it is quite new. It was added ... *checks CVS history* ... eight weeks ago. Thank you. Motivation for keeping boxes current ;-) /jl -- ASCII ribbon campaign ( ) Powered by Lemote Fuloong against HTML e-mail X Loongson MIPS and OpenBSD and proprietary/ \http://www.mutt.org attachments / \ Code Blue or Go Home! Encrypted email preferred PGP Key 2048R/DA65BC04
Re: Why generate SSH keys at startup?
On Thu, Mar 12, 2015 at 07:19:25PM +, Stuart Henderson wrote: On 2015-03-12, John Long codeb...@inbox.lv wrote: On Thu, Mar 12, 2015 at 04:20:47PM +, Christian Weisgerber wrote: On 2015-03-12, John Long codeb...@inbox.lv wrote: You can simply configure HostKey in /etc/ssh/sshd_config. With that done a client can still do pubkey auth with a DSA key. (How) can I stop sshd from accepting client keys a user might include in ~/.ssh/authorized_keys other than RSA keys? By setting PubkeyAcceptedKeyTypes accordingly in sshd_config. Thanks, I looked and looked and could not find it in the man page. It appears to be only in -current? Is this possible in prior versions (i.e. undocumented but works) or is it totally new? By looking with cvs blame sshd_config.5 | grep PubkeyAcceptedKeyTypes and examine the cvs log, you can see that it was added on 2015/01/13. Thanks for the info and tip! /jl -- ASCII ribbon campaign ( ) Powered by Lemote Fuloong against HTML e-mail X Loongson MIPS and OpenBSD and proprietary/ \http://www.mutt.org attachments / \ Code Blue or Go Home! Encrypted email preferred PGP Key 2048R/DA65BC04
Re: Why generate SSH keys at startup?
On Thu, Mar 12, 2015 at 04:00:30PM -0400, Josh Grosse wrote: On Thu, Mar 12, 2015 at 07:19:25PM +, Stuart Henderson wrote: By looking with cvs blame sshd_config.5 | grep PubkeyAcceptedKeyTypes and examine the cvs log, you can see that it was added on 2015/01/13. Blame? Blame? When did this wonderful, utterly brilliant but undocumented synonym for annotate get added to cvs? And then I found the commit: CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org 2010/07/22 04:31:10 Good one :-) Thanks. /jl -- ASCII ribbon campaign ( ) Powered by Lemote Fuloong against HTML e-mail X Loongson MIPS and OpenBSD and proprietary/ \http://www.mutt.org attachments / \ Code Blue or Go Home! Encrypted email preferred PGP Key 2048R/DA65BC04
Re: Why generate SSH keys at startup?
On Wed, Mar 11, 2015 at 11:13:20PM +, Christian Weisgerber wrote: On 2015-03-10, John Long codeb...@inbox.lv wrote: But /etc/rc appears to generate all missing key types every startup. Only if you delete them! Yes, that's what I said. You can simply configure HostKey in /etc/ssh/sshd_config. As soon as you set it to any value, the complete defaults are gone. For instance, if there are no further HostKey statements, HostKey /etc/ssh/ssh_host_ed25519_key will make the server only load that Ed25519 key. No ECDSA, RSA, or DSA. Try it. With that done a client can still do pubkey auth with a DSA key. (How) can I stop sshd from accepting client keys a user might include in ~/.ssh/authorized_keys other than RSA keys? What problems do I cause by commenting out the ssh-keygen? Well, you would be making a change you obviously don't understand. Well, I think it's obvious I'm open to that possibility or I wouldn't have asked the question in the first place. Given I do understand that if ssh-keygen -A isn't run at startup none of the keys I deleted will come back, and given that's what I really want even if new ciphers get added in the future, are there any other issues to be aware of regarding removing ssh-keygen -A from the startup? /jl -- ASCII ribbon campaign ( ) Powered by Lemote Fuloong against HTML e-mail X Loongson MIPS and OpenBSD and proprietary/ \http://www.mutt.org attachments / \ Code Blue or Go Home! Encrypted email preferred PGP Key 2048R/DA65BC04
Re: Why generate SSH keys at startup?
On 2015-03-12, John Long codeb...@inbox.lv wrote: You can simply configure HostKey in /etc/ssh/sshd_config. With that done a client can still do pubkey auth with a DSA key. (How) can I stop sshd from accepting client keys a user might include in ~/.ssh/authorized_keys other than RSA keys? By setting PubkeyAcceptedKeyTypes accordingly in sshd_config. This has _nothing_ to do with the server keys. Given I do understand that if ssh-keygen -A isn't run at startup none of the keys I deleted will come back, and given that's what I really want even if new ciphers get added in the future, are there any other issues to be aware of regarding removing ssh-keygen -A from the startup? /etc/rc isn't a configuration file. When you upgrade OpenBSD, /etc/rc will be overwritten and your changes will be lost. I don't understand why you insist on deleting the server keys. -- Christian naddy Weisgerber na...@mips.inka.de
Re: Why generate SSH keys at startup?
On Thu, Mar 12, 2015 at 04:20:47PM +, Christian Weisgerber wrote: On 2015-03-12, John Long codeb...@inbox.lv wrote: You can simply configure HostKey in /etc/ssh/sshd_config. With that done a client can still do pubkey auth with a DSA key. (How) can I stop sshd from accepting client keys a user might include in ~/.ssh/authorized_keys other than RSA keys? By setting PubkeyAcceptedKeyTypes accordingly in sshd_config. Thanks, I looked and looked and could not find it in the man page. It appears to be only in -current? Is this possible in prior versions (i.e. undocumented but works) or is it totally new? This has _nothing_ to do with the server keys. Understood. I want to do an RSA-only setup. After the server key issue was resolved I looked at what the clients can do. /etc/rc isn't a configuration file. When you upgrade OpenBSD, /etc/rc will be overwritten and your changes will be lost. I realize that. I keep track of local customizations in a notebook. Thanks, /jl -- ASCII ribbon campaign ( ) Powered by Lemote Fuloong against HTML e-mail X Loongson MIPS and OpenBSD and proprietary/ \http://www.mutt.org attachments / \ Code Blue or Go Home! Encrypted email preferred PGP Key 2048R/DA65BC04
Re: Why generate SSH keys at startup?
On 2015-03-12, John Long codeb...@inbox.lv wrote: On Thu, Mar 12, 2015 at 04:20:47PM +, Christian Weisgerber wrote: On 2015-03-12, John Long codeb...@inbox.lv wrote: You can simply configure HostKey in /etc/ssh/sshd_config. With that done a client can still do pubkey auth with a DSA key. (How) can I stop sshd from accepting client keys a user might include in ~/.ssh/authorized_keys other than RSA keys? By setting PubkeyAcceptedKeyTypes accordingly in sshd_config. Thanks, I looked and looked and could not find it in the man page. It appears to be only in -current? Is this possible in prior versions (i.e. undocumented but works) or is it totally new? By looking with cvs blame sshd_config.5 | grep PubkeyAcceptedKeyTypes and examine the cvs log, you can see that it was added on 2015/01/13.
Re: Why generate SSH keys at startup?
On Thu, Mar 12, 2015 at 07:19:25PM +, Stuart Henderson wrote: By looking with cvs blame sshd_config.5 | grep PubkeyAcceptedKeyTypes and examine the cvs log, you can see that it was added on 2015/01/13. Blame? Blame? When did this wonderful, utterly brilliant but undocumented synonym for annotate get added to cvs? I think I'll use it to find out ;) $ cvs blame main.c | grep blame Annotations for main.c *** 1.39 (jsg 22-Jul-10): { annotate, ann, blame, annotate, CVS_CMD_USES_WORK_DIR }, And then I found the commit: CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org 2010/07/22 04:31:10 Modified files: gnu/usr.bin/cvs/src: main.c Log message: As per OpenCVS, general usage in coversation and apparently newer upstream versions of this code, add blame as an alias for annotate. ok henning@ fgsch@ deraadt@ thib@ krw@
Re: Why generate SSH keys at startup?
On 2015-03-12, John Long codeb...@inbox.lv wrote: By setting PubkeyAcceptedKeyTypes accordingly in sshd_config. Thanks, I looked and looked and could not find it in the man page. It appears to be only in -current? Is this possible in prior versions (i.e. undocumented but works) or is it totally new? Unfortunately, it is quite new. It was added ... *checks CVS history* ... eight weeks ago. -- Christian naddy Weisgerber na...@mips.inka.de
Re: Why generate SSH keys at startup?
On 03/10/15 15:50, John Long wrote: Hi, What's the reason for generating all the various SSH key types every startup? Given the source of all the new elliptical crypto I don't want to use it so I changed the cipher list in sshd_config. But /etc/rc appears to generate all missing key types every startup. What problems do I cause by commenting out the ssh-keygen? The reason for generating keys at first boot is because they are supported and thus needed to exist. The reason for regenerating missing keys is if a key isn't generated properly (i.e., someone wondered why their slow machine was hung and hit CTRL-C), is to restore expected functionality. As for your last question, if you have to ask, just don't, as you will be clueless to fix the problems YOU created in the future when something doesn't go as you expect it to go. I'm not going to speculate on what future operation might break due to your fiddling with knobs, but I will remind you that I assume your REAL goal isn't to get something up and running, but rather to set up a long-time tool. As for the general premise of thinking you know more than the OpenSSH developers...I just have memories of certain Debian devs who thought the same thing once ... Crypto is hard, have some trust in the professionals, or you will probably create far bigger security problems. Nick.
Re: Why generate SSH keys at startup?
On 2015-03-10, John Long codeb...@inbox.lv wrote: What's the reason for generating all the various SSH key types every startup? The idea is to generate keys (1) the very first time the machine boots and (2) when a new algorithm is added. Given the source of all the new elliptical crypto I don't want to use it so I changed the cipher list in sshd_config. For starters, Ed25519 is elliptical curve crypto, but not from the NSA. And regarding ECDSA, there's an argument to be made that it's a far better choice than RSA (and DSA). But /etc/rc appears to generate all missing key types every startup. Only if you delete them! You can simply configure HostKey in /etc/ssh/sshd_config. As soon as you set it to any value, the complete defaults are gone. For instance, if there are no further HostKey statements, HostKey /etc/ssh/ssh_host_ed25519_key will make the server only load that Ed25519 key. No ECDSA, RSA, or DSA. Try it. What problems do I cause by commenting out the ssh-keygen? Well, you would be making a change you obviously don't understand. -- Christian naddy Weisgerber na...@mips.inka.de
Re: Why generate SSH keys at startup?
On 2015-03-11, Nick Holland n...@holland-consulting.net wrote: As for the general premise of thinking you know more than the OpenSSH developers...I just have memories of certain Debian devs who thought the same thing once ... Crypto is hard, have some trust in the professionals, or you will probably create far bigger security problems. Better let the authorities handle our crypto then, like the good professionals from the NSA and FBI. Crypto is hard, why would you trust some people you met on the Internet to get this right? -- Christian naddy Weisgerber na...@mips.inka.de
Why generate SSH keys at startup?
Hi, What's the reason for generating all the various SSH key types every startup? Given the source of all the new elliptical crypto I don't want to use it so I changed the cipher list in sshd_config. But /etc/rc appears to generate all missing key types every startup. What problems do I cause by commenting out the ssh-keygen? Thanks, /jl -- ASCII ribbon campaign ( ) Powered by Lemote Fuloong against HTML e-mail X Loongson MIPS and OpenBSD and proprietary/ \http://www.mutt.org attachments / \ Code Blue or Go Home! Encrypted email preferred PGP Key 2048R/DA65BC04
Re: Why generate SSH keys at startup?
On 03/11/15 18:59, Christian Weisgerber wrote: On 2015-03-11, Nick Holland n...@holland-consulting.net wrote: As for the general premise of thinking you know more than the OpenSSH developers...I just have memories of certain Debian devs who thought the same thing once ... Crypto is hard, have some trust in the professionals, or you will probably create far bigger security problems. Better let the authorities handle our crypto then, like the good professionals from the NSA and FBI. Crypto is hard, why would you trust some people you met on the Internet to get this right? sorry, that was an improper use of the word professional (one who derives income from his work, as opposed to volunteer work) on my part. Let's try this again... Crypto is hard. Have some trust in the people who actually understand it and have put together the rest of the OS you trust. Nick.