tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: default sshd host keys

On Tue, 4 Sep 2012 07:48:41 +0100
David Laight <> wrote:

> On Mon, Sep 03, 2012 at 10:32:32PM +0000, Taylor R Campbell wrote:
> > (I am not subscribed to these lists, so please cc me in replies.)
> > 
> > If you enable sshd on stock NetBSD 6.0_RC1, then by default on boot
> > you will get an RSA host key with a 1024-bit modulus, a DSA host key
> > with 1024/160-bit parameters, and an ECDSA host key from the nistp521
> > curve.  All this is decided by the defaults specified in
> > /etc/rc.d/sshd and /etc/defaults/rc.conf.
> I'd guess that hoping for that much 'entropy' just after boot is rather
> wishful thinking.
> Delaying the generation of the keys to a later time would give a
> better chance of them being actually random.

I think this could be a problem at first boot, but netbsd-6 also seems
to now have /etc/rc.d/random_seed.  However this might be disabled by
default, because I seem to lack /var/db/entropy-file on a local
netbsd-6 system here (and no mention of it in rc.conf(5))...


Home | Main Index | Thread Index | Old Index