Module Name: src
Committed By: riastradh
Date: Sat May 26 19:18:11 UTC 2018
Modified Files:
src/etc/rc.d: sshd
Log Message:
Revert previous: Don't generate XMSS host keys for sshd by default.
XMSS is a stateful post-quantum signature scheme.
- Post-quantum security for _online_ authentication is not important
until quantum computers become practical; there's no danger of
retroactive forgery in sessions that have already completed.
- As a stateful signature schemes, XMSS is qualitatively different
from all the other ones sshd supports, requiring additional
administrative care: roll back the state (e.g., from a disk backup
or VM snapshot), and you've shot yourself in the foot.
If users want XMSS keys, they can make them explicitly, but there's
no need for this to be enabled by default.
Discussed with christos offline.
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 src/etc/rc.d/sshd
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/etc/rc.d/sshd
diff -u src/etc/rc.d/sshd:1.28 src/etc/rc.d/sshd:1.29
--- src/etc/rc.d/sshd:1.28 Sat May 26 00:17:54 2018
+++ src/etc/rc.d/sshd Sat May 26 19:18:11 2018
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# $NetBSD: sshd,v 1.28 2018/05/26 00:17:54 jmcneill Exp $
+# $NetBSD: sshd,v 1.29 2018/05/26 19:18:11 riastradh Exp $
#
# PROVIDE: sshd
@@ -37,7 +37,6 @@ dsa 1024 ssh_host_dsa_key 2 DSA
ecdsa 521 ssh_host_ecdsa_key 1 ECDSA
ed25519 -1 ssh_host_ed25519_key 1 ED25519
rsa 0 ssh_host_rsa_key 2 RSA
-xmss 0 ssh_host_xmss_key 1 XMSS
_EOF
)
}
