[ptxdist] OpenSSH patches

mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed

* [ptxdist] OpenSSH patches
@ 2015-07-07  8:52 Clemens Gruber
  2015-07-07  9:13 ` Bruno Thomsen
  2015-07-14 10:03 ` Michael Olbrich
  0 siblings, 2 replies; 5+ messages in thread
From: Clemens Gruber @ 2015-07-07  8:52 UTC (permalink / raw)
  To: m.olbrich; +Cc: ptxdist

Hi Michael,

what do you think about my recent OpenSSH patches (not the version bumps) but
enabling the sandbox per default (to use seccomp if available) and the switch
from DSA to Ed25519. ArchLinux and current Debian both generate Ed25519 pubkeys
by default and add them as HostKey to sshd_config.
They keep DSA and ECDSA but as they fall apart completely if the random numbers
used are not good, I am not sure this is a good idea for embedded systems where
entropy is often very scarce. Ed25519 is not that sensitive to entropy problems.

Regards,
Clemens

-- 
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [ptxdist] OpenSSH patches
  2015-07-07  8:52 [ptxdist] OpenSSH patches Clemens Gruber
@ 2015-07-07  9:13 ` Bruno Thomsen
  2015-07-07  9:35   ` Clemens Gruber
  2015-07-14 10:03 ` Michael Olbrich
  1 sibling, 1 reply; 5+ messages in thread
From: Bruno Thomsen @ 2015-07-07  9:13 UTC (permalink / raw)
  To: ptxdist

Hey Clemens,

> what do you think about my recent OpenSSH patches (not the version bumps) but enabling the sandbox per default (to use seccomp if available) and the switch from DSA to Ed25519. ArchLinux and current Debian both generate Ed25519 pubkeys by default and add them as HostKey to sshd_config.
> They keep DSA and ECDSA but as they fall apart completely if the random numbers used are not good, I am not sure this is a good idea for embedded systems where entropy is often very scarce. Ed25519 is not that sensitive to entropy problems.

I agree, when possible we should use ed25519. Adam Langley blog entry[1].

/Bruno

[1] https://www.imperialviolet.org/2013/06/15/suddendeathentropy.html

-- 
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [ptxdist] OpenSSH patches
  2015-07-07  9:13 ` Bruno Thomsen
@ 2015-07-07  9:35   ` Clemens Gruber
  0 siblings, 0 replies; 5+ messages in thread
From: Clemens Gruber @ 2015-07-07  9:35 UTC (permalink / raw)
  To: ptxdist

Hi Bruno,

On Tue, Jul 07, 2015 at 09:13:09AM +0000, Bruno Thomsen wrote:
> I agree, when possible we should use ed25519. Adam Langley blog entry[1].
> 
> /Bruno
> 
> [1] https://www.imperialviolet.org/2013/06/15/suddendeathentropy.html

That's a great blog article! Thanks.

Can you think of any drawbacks to removing DSA? I think RSA was used in OpenSSH
before DSA, so even very old clients should be happy with RSA and the newer
clients can check against the Ed25519 host key.

Regards,
Clemens

-- 
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [ptxdist] OpenSSH patches
  2015-07-07  8:52 [ptxdist] OpenSSH patches Clemens Gruber
  2015-07-07  9:13 ` Bruno Thomsen
@ 2015-07-14 10:03 ` Michael Olbrich
  2015-07-29 20:05   ` Clemens Gruber
  1 sibling, 1 reply; 5+ messages in thread
From: Michael Olbrich @ 2015-07-14 10:03 UTC (permalink / raw)
  To: ptxdist

On Tue, Jul 07, 2015 at 10:52:52AM +0200, Clemens Gruber wrote:
> what do you think about my recent OpenSSH patches (not the version bumps) but
> enabling the sandbox per default (to use seccomp if available) and the switch
> from DSA to Ed25519. ArchLinux and current Debian both generate Ed25519 pubkeys
> by default and add them as HostKey to sshd_config.
> They keep DSA and ECDSA but as they fall apart completely if the random numbers
> used are not good, I am not sure this is a good idea for embedded systems where
> entropy is often very scarce. Ed25519 is not that sensitive to entropy problems.

I looked at what Debian is doing, and I liked it: Basically, the postinst
script checks the sshd_config and generated the needed keys. I think we can
do the same in the ssh rc-once script.
Then we can choose more restrictive defaults. Then those that need other
keys just need to overwrite sshd_config in the BSP.

Michael

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

-- 
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [ptxdist] OpenSSH patches
  2015-07-14 10:03 ` Michael Olbrich
@ 2015-07-29 20:05   ` Clemens Gruber
  0 siblings, 0 replies; 5+ messages in thread
From: Clemens Gruber @ 2015-07-29 20:05 UTC (permalink / raw)
  To: ptxdist; +Cc: Michael Olbrich

On Tue, Jul 14, 2015 at 12:03:47PM +0200, Michael Olbrich wrote:
> On Tue, Jul 07, 2015 at 10:52:52AM +0200, Clemens Gruber wrote:
> > what do you think about my recent OpenSSH patches (not the version bumps) but
> > enabling the sandbox per default (to use seccomp if available) and the switch
> > from DSA to Ed25519. ArchLinux and current Debian both generate Ed25519 pubkeys
> > by default and add them as HostKey to sshd_config.
> > They keep DSA and ECDSA but as they fall apart completely if the random numbers
> > used are not good, I am not sure this is a good idea for embedded systems where
> > entropy is often very scarce. Ed25519 is not that sensitive to entropy problems.
> 
> I looked at what Debian is doing, and I liked it: Basically, the postinst
> script checks the sshd_config and generated the needed keys. I think we can
> do the same in the ssh rc-once script.
> Then we can choose more restrictive defaults. Then those that need other
> keys just need to overwrite sshd_config in the BSP.
> 
> Michael

Hi Michael,

what do you think about my recent patch (openssh: improve rc.once.d script and
harden sshd_config) from July 17th? I tried to follow what Debian is doing for
key generation and I also hardened the default config.

Regards,
Clemens

-- 
ptxdist mailing list
ptxdist@pengutronix.de

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2015-07-29 20:05 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-07-07  8:52 [ptxdist] OpenSSH patches Clemens Gruber
2015-07-07  9:13 ` Bruno Thomsen
2015-07-07  9:35   ` Clemens Gruber
2015-07-14 10:03 ` Michael Olbrich
2015-07-29 20:05   ` Clemens Gruber

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox