tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: default sshd host keys
On Tue, 4 Sep 2012 07:48:41 +0100
David Laight <david%l8s.co.uk@localhost> wrote:
> On Mon, Sep 03, 2012 at 10:32:32PM +0000, Taylor R Campbell wrote:
> > (I am not subscribed to these lists, so please cc me in replies.)
> >
> > If you enable sshd on stock NetBSD 6.0_RC1, then by default on boot
> > you will get an RSA host key with a 1024-bit modulus, a DSA host key
> > with 1024/160-bit parameters, and an ECDSA host key from the nistp521
> > curve. All this is decided by the defaults specified in
> > /etc/rc.d/sshd and /etc/defaults/rc.conf.
>
> I'd guess that hoping for that much 'entropy' just after boot is rather
> wishful thinking.
> Delaying the generation of the keys to a later time would give a
> better chance of them being actually random.
I think this could be a problem at first boot, but netbsd-6 also seems
to now have /etc/rc.d/random_seed. However this might be disabled by
default, because I seem to lack /var/db/entropy-file on a local
netbsd-6 system here (and no mention of it in rc.conf(5))...
Thanks,
--
Matt
Home |
Main Index |
Thread Index |
Old Index