* [ptxdist] OpenSSH patches
@ 2015-07-07 8:52 Clemens Gruber
2015-07-07 9:13 ` Bruno Thomsen
2015-07-14 10:03 ` Michael Olbrich
0 siblings, 2 replies; 5+ messages in thread
From: Clemens Gruber @ 2015-07-07 8:52 UTC (permalink / raw)
To: m.olbrich; +Cc: ptxdist
Hi Michael,
what do you think about my recent OpenSSH patches (not the version bumps) but
enabling the sandbox per default (to use seccomp if available) and the switch
from DSA to Ed25519. ArchLinux and current Debian both generate Ed25519 pubkeys
by default and add them as HostKey to sshd_config.
They keep DSA and ECDSA but as they fall apart completely if the random numbers
used are not good, I am not sure this is a good idea for embedded systems where
entropy is often very scarce. Ed25519 is not that sensitive to entropy problems.
Regards,
Clemens
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [ptxdist] OpenSSH patches
2015-07-07 8:52 [ptxdist] OpenSSH patches Clemens Gruber
@ 2015-07-07 9:13 ` Bruno Thomsen
2015-07-07 9:35 ` Clemens Gruber
2015-07-14 10:03 ` Michael Olbrich
1 sibling, 1 reply; 5+ messages in thread
From: Bruno Thomsen @ 2015-07-07 9:13 UTC (permalink / raw)
To: ptxdist
Hey Clemens,
> what do you think about my recent OpenSSH patches (not the version bumps) but enabling the sandbox per default (to use seccomp if available) and the switch from DSA to Ed25519. ArchLinux and current Debian both generate Ed25519 pubkeys by default and add them as HostKey to sshd_config.
> They keep DSA and ECDSA but as they fall apart completely if the random numbers used are not good, I am not sure this is a good idea for embedded systems where entropy is often very scarce. Ed25519 is not that sensitive to entropy problems.
I agree, when possible we should use ed25519. Adam Langley blog entry[1].
/Bruno
[1] https://www.imperialviolet.org/2013/06/15/suddendeathentropy.html
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [ptxdist] OpenSSH patches
2015-07-07 8:52 [ptxdist] OpenSSH patches Clemens Gruber
2015-07-07 9:13 ` Bruno Thomsen
@ 2015-07-14 10:03 ` Michael Olbrich
2015-07-29 20:05 ` Clemens Gruber
1 sibling, 1 reply; 5+ messages in thread
From: Michael Olbrich @ 2015-07-14 10:03 UTC (permalink / raw)
To: ptxdist
On Tue, Jul 07, 2015 at 10:52:52AM +0200, Clemens Gruber wrote:
> what do you think about my recent OpenSSH patches (not the version bumps) but
> enabling the sandbox per default (to use seccomp if available) and the switch
> from DSA to Ed25519. ArchLinux and current Debian both generate Ed25519 pubkeys
> by default and add them as HostKey to sshd_config.
> They keep DSA and ECDSA but as they fall apart completely if the random numbers
> used are not good, I am not sure this is a good idea for embedded systems where
> entropy is often very scarce. Ed25519 is not that sensitive to entropy problems.
I looked at what Debian is doing, and I liked it: Basically, the postinst
script checks the sshd_config and generated the needed keys. I think we can
do the same in the ssh rc-once script.
Then we can choose more restrictive defaults. Then those that need other
keys just need to overwrite sshd_config in the BSP.
Michael
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [ptxdist] OpenSSH patches
2015-07-14 10:03 ` Michael Olbrich
@ 2015-07-29 20:05 ` Clemens Gruber
0 siblings, 0 replies; 5+ messages in thread
From: Clemens Gruber @ 2015-07-29 20:05 UTC (permalink / raw)
To: ptxdist; +Cc: Michael Olbrich
On Tue, Jul 14, 2015 at 12:03:47PM +0200, Michael Olbrich wrote:
> On Tue, Jul 07, 2015 at 10:52:52AM +0200, Clemens Gruber wrote:
> > what do you think about my recent OpenSSH patches (not the version bumps) but
> > enabling the sandbox per default (to use seccomp if available) and the switch
> > from DSA to Ed25519. ArchLinux and current Debian both generate Ed25519 pubkeys
> > by default and add them as HostKey to sshd_config.
> > They keep DSA and ECDSA but as they fall apart completely if the random numbers
> > used are not good, I am not sure this is a good idea for embedded systems where
> > entropy is often very scarce. Ed25519 is not that sensitive to entropy problems.
>
> I looked at what Debian is doing, and I liked it: Basically, the postinst
> script checks the sshd_config and generated the needed keys. I think we can
> do the same in the ssh rc-once script.
> Then we can choose more restrictive defaults. Then those that need other
> keys just need to overwrite sshd_config in the BSP.
>
> Michael
Hi Michael,
what do you think about my recent patch (openssh: improve rc.once.d script and
harden sshd_config) from July 17th? I tried to follow what Debian is doing for
key generation and I also hardened the default config.
Regards,
Clemens
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-07-29 20:05 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-07-07 8:52 [ptxdist] OpenSSH patches Clemens Gruber
2015-07-07 9:13 ` Bruno Thomsen
2015-07-07 9:35 ` Clemens Gruber
2015-07-14 10:03 ` Michael Olbrich
2015-07-29 20:05 ` Clemens Gruber
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox