This patch will also ensure the maximum supported key length is used for ECDSA. Existing installations will remain unaffected.
Note that the key size for ED25519 is fixed, and explicitly setting it to 521 bytes will not have any impact.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- src/initscripts/system/sshd | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/initscripts/system/sshd b/src/initscripts/system/sshd index fa40bc11d..e5a9931af 100644 --- a/src/initscripts/system/sshd +++ b/src/initscripts/system/sshd @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,14 +24,14 @@
case "$1" in start) - for algo in rsa ecdsa ed25519; do + for algo in ecdsa ed25519; do keyfile="/etc/ssh/ssh_host_${algo}_key"
# If the key already exists, there is nothing to do. [ -e "${keyfile}" ] && continue
boot_mesg "Generating SSH key (${algo})..." - ssh-keygen -qf "${keyfile}" -N '' -t ${algo} + ssh-keygen -qf "${keyfile}" -N '' -b 521 -t ${algo} evaluate_retval done
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- src/initscripts/system/apache | 26 +------------------------- 1 file changed, 1 insertion(+), 25 deletions(-)
diff --git a/src/initscripts/system/apache b/src/initscripts/system/apache index e7a62097e..ba7ede670 100644 --- a/src/initscripts/system/apache +++ b/src/initscripts/system/apache @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -25,13 +25,6 @@ PIDFILE="/var/run/httpd.pid"
generate_certificates() { - if [ ! -f "/etc/httpd/server.key" ]; then - boot_mesg "Generating HTTPS RSA server key (this will take a moment)..." - openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null - chmod 600 /etc/httpd/server.key - evaluate_retval - fi - if [ ! -f "/etc/httpd/server-ecdsa.key" ]; then boot_mesg "Generating HTTPS ECDSA server key..." openssl ecparam -genkey -name secp384r1 -noout \ @@ -40,29 +33,12 @@ generate_certificates() { evaluate_retval fi
- # Generate RSA CSR - if [ ! -f "/etc/httpd/server.csr" ]; then - sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \ - openssl req -new -key /etc/httpd/server.key \ - -out /etc/httpd/server.csr &>/dev/null - fi - - # Generate ECDSA CSR if [ ! -f "/etc/httpd/server-ecdsa.csr" ]; then sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \ openssl req -new -key /etc/httpd/server-ecdsa.key \ -out /etc/httpd/server-ecdsa.csr &>/dev/null fi
- if [ ! -f "/etc/httpd/server.crt" ]; then - boot_mesg "Signing RSA certificate..." - openssl x509 -req -days 999999 -sha256 \ - -in /etc/httpd/server.csr \ - -signkey /etc/httpd/server.key \ - -out /etc/httpd/server.crt &>/dev/null - evaluate_retval - fi - if [ ! -f "/etc/httpd/server-ecdsa.crt" ]; then boot_mesg "Signing ECDSA certificate..." openssl x509 -req -days 999999 -sha256 \
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/ssh/sshd_config | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index 76c9b3eb1..630370411 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -24,10 +24,9 @@ KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sh Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
-# Only allow cryptographically safe SSH host keys (adjust paths if needed) +# Only allow cryptographically safe SSH host keys HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_rsa_key
# Only allow login via public key by default PubkeyAuthentication yes
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 -- 1 file changed, 2 deletions(-)
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 639f1d479..278283d08 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -15,8 +15,6 @@ SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off - SSLCertificateFile /etc/httpd/server.crt - SSLCertificateKeyFile /etc/httpd/server.key SSLCertificateFile /etc/httpd/server-ecdsa.crt SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/backup/include | 3 --- 1 file changed, 3 deletions(-)
diff --git a/config/backup/include b/config/backup/include index aacfaf64a..f0708c87f 100644 --- a/config/backup/include +++ b/config/backup/include @@ -1,12 +1,9 @@ etc/conntrackd/conntrackd.conf etc/group etc/hosts* -etc/httpd/server.crt -etc/httpd/server.csr etc/httpd/server-ecdsa.crt etc/httpd/server-ecdsa.csr etc/httpd/server-ecdsa.key -etc/httpd/server.key etc/ipsec.user.* etc/ipsec.user-post.conf etc/logrotate.d
-
Peter Müller