Re: default sshd host keys

To: tech-security%netbsd.org@localhost
Subject: Re: default sshd host keys
From: Matthew Mondor <mm_lists%pulsar-zone.net@localhost>
Date: Wed, 5 Sep 2012 00:25:20 -0400

On Tue, 4 Sep 2012 07:48:41 +0100
David Laight <david%l8s.co.uk@localhost> wrote:

> On Mon, Sep 03, 2012 at 10:32:32PM +0000, Taylor R Campbell wrote:
> > (I am not subscribed to these lists, so please cc me in replies.)
> > 
> > If you enable sshd on stock NetBSD 6.0_RC1, then by default on boot
> > you will get an RSA host key with a 1024-bit modulus, a DSA host key
> > with 1024/160-bit parameters, and an ECDSA host key from the nistp521
> > curve.  All this is decided by the defaults specified in
> > /etc/rc.d/sshd and /etc/defaults/rc.conf.
> 
> I'd guess that hoping for that much 'entropy' just after boot is rather
> wishful thinking.
> Delaying the generation of the keys to a later time would give a
> better chance of them being actually random.

I think this could be a problem at first boot, but netbsd-6 also seems
to now have /etc/rc.d/random_seed.  However this might be disabled by
default, because I seem to lack /var/db/entropy-file on a local
netbsd-6 system here (and no mention of it in rc.conf(5))...

Thanks,
-- 
Matt

Follow-Ups:
- Re: default sshd host keys
  - From: Thor Lancelot Simon
- Re: default sshd host keys
  - From: Pierre Pronchery

References:
- default sshd host keys
  - From: Taylor R Campbell
- Re: default sshd host keys
  - From: David Laight

Prev by Date: Re: default sshd host keys
Next by Date: Re: crypto_memset (was: Re: Zero it if you're going to copy it out.)
Previous by Thread: Re: default sshd host keys
Next by Thread: Re: default sshd host keys
Indexes:

Home | Main Index | Thread Index | Old Index