From patchwork Fri Sep 20 14:20:18 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 8136
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature RSA-PSS (4096 bits))
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X9F0k1dBbz3wxp
	for <patchwork@web04.haj.ipfire.org>; Fri, 20 Sep 2024 14:20:38 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4X9F0c6lSfz60t;
	Fri, 20 Sep 2024 14:20:32 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X9F0c4Jvdz345d;
	Fri, 20 Sep 2024 14:20:32 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature RSA-PSS (4096 bits))
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X9F0Y3QQvz33gx
	for <development@lists.ipfire.org>; Fri, 20 Sep 2024 14:20:29 +0000 (UTC)
Received: from people01.haj.ipfire.org (people01.haj.ipfire.org
 [172.28.1.161])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256
	 client-signature ECDSA (secp384r1) client-digest SHA384)
	(Client CN "people01.haj.ipfire.org", Issuer "E5" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4X9F0W52ZDz2MC;
	Fri, 20 Sep 2024 14:20:27 +0000 (UTC)
Received: by people01.haj.ipfire.org (Postfix, from userid 1078)
	id 4X9F0S74wtz2xg8; Fri, 20 Sep 2024 14:20:24 +0000 (UTC)
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 1/5] sshd: Do not generate new RSA host key on first boot
Date: Fri, 20 Sep 2024 14:20:18 +0000
Message-Id: <20240920142022.589371-1-peter.mueller@ipfire.org>
X-Mailer: git-send-email 2.39.5
MIME-Version: 1.0
Message-ID-Hash: 7JAKTVKQ2WNP4BTRLF6EIZDUOGFK3WCU
X-Message-ID-Hash: 7JAKTVKQ2WNP4BTRLF6EIZDUOGFK3WCU
X-MailFrom: pmueller@people01.haj.ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/7JAKTVKQ2WNP4BTRLF6EIZDUOGFK3WCU/>
List-Archive: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

This patch will also ensure the maximum supported key length
is used for ECDSA. Existing installations will remain unaffected.

Note that the key size for ED25519 is fixed, and explicitly
setting it to 521 bytes will not have any impact.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 src/initscripts/system/sshd | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/initscripts/system/sshd b/src/initscripts/system/sshd
index fa40bc11d..e5a9931af 100644
--- a/src/initscripts/system/sshd
+++ b/src/initscripts/system/sshd
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,14 +24,14 @@
 
 case "$1" in
     start)
-	for algo in rsa ecdsa ed25519; do
+	for algo in ecdsa ed25519; do
 		keyfile="/etc/ssh/ssh_host_${algo}_key"
 
 		# If the key already exists, there is nothing to do.
 		[ -e "${keyfile}" ] && continue
 
 		boot_mesg "Generating SSH key (${algo})..."
-		ssh-keygen -qf "${keyfile}" -N '' -t ${algo}
+		ssh-keygen -qf "${keyfile}" -N '' -b 521 -t ${algo}
 		evaluate_retval
 	done