* [ptxdist] [PATCH v2 1/3] openssh: replace dsa with ed25519 host keys
@ 2015-06-20 14:07 Clemens Gruber
0 siblings, 0 replies; only message in thread
From: Clemens Gruber @ 2015-06-20 14:07 UTC (permalink / raw)
To: ptxdist; +Cc: Clemens Gruber
Changes from v1:
- Rebased after generic -> projectroot rename
- Better explanation in commit message
It is very likely that weak DSA keys are created on embedded
systems due to entropy problems.
I suggest replacing DSA with Ed25519 as second host signature scheme.
Ed25519 performs better, is not as vulnerable to weak random numbers
and the keys can be much smaller, e.g. 256-bit public keys.
DSA and ECDSA fall completely apart when the system has a bad random
number generator, Ed25519 does not.
It is also one of the few elliptic curve cryptography schemes without
magical parameters from NIST or NSA.
Security of 256-bit Ed25519 keys is comparable to 3000-bit RSA keys
and it is immune to most known side-channel / timing attacks.
As the RSA host key is still generated by default, I do not expect
backwards compatibility issues.
It leads to noticeably better performance and higher security, because
the default size of RSA keys is 2048-bit and only 1024-bit for DSA,
whereas Ed25519 is as secure as a 3000-bit RSA key.
For more details, here is the paper:
http://ed25519.cr.yp.to/ed25519-20110926.pdf
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
projectroot/etc/rc.once.d/openssh | 8 ++++----
projectroot/etc/ssh/sshd_config | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh
index 83e6e37..0a63433 100644
--- a/projectroot/etc/rc.once.d/openssh
+++ b/projectroot/etc/rc.once.d/openssh
@@ -3,12 +3,12 @@
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
OPENSSH_RSAKEY_DEFAULT="/etc/ssh/ssh_host_rsa_key"
-OPENSSH_DSAKEY_DEFAULT="/etc/ssh/ssh_host_dsa_key"
+OPENSSH_ED25519KEY_DEFAULT="/etc/ssh/ssh_host_ed25519_key"
test -n "$OPENSSH_RSAKEY" || \
OPENSSH_RSAKEY=$OPENSSH_RSAKEY_DEFAULT
-test -n "$OPENSSH_DSAKEY" || \
- OPENSSH_DSAKEY=$OPENSSH_DSAKEY_DEFAULT
+test -n "$OPENSSH_ED25519KEY" || \
+ OPENSSH_ED25519KEY=$OPENSSH_ED25519KEY_DEFAULT
gen_key() {
@@ -29,5 +29,5 @@ gen_key() {
}
gen_key rsa "$OPENSSH_RSAKEY"
-gen_key dsa "$OPENSSH_DSAKEY"
+gen_key ed25519 "$OPENSSH_ED25519KEY"
diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config
index 7cd7897..f529fc4 100644
--- a/projectroot/etc/ssh/sshd_config
+++ b/projectroot/etc/ssh/sshd_config
@@ -20,7 +20,7 @@ Protocol 2
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
--
2.4.4
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-06-20 14:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-06-20 14:07 [ptxdist] [PATCH v2 1/3] openssh: replace dsa with ed25519 host keys Clemens Gruber
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox