[src/trunk]: src/etc/rc.d Revert previous: Don't generate XMSS host keys for ...

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/647446a0b02f
branches:  trunk
changeset: 319334:647446a0b02f
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Sat May 26 19:18:11 2018 +0000

description:
Revert previous: Don't generate XMSS host keys for sshd by default.

XMSS is a stateful post-quantum signature scheme.

- Post-quantum security for _online_ authentication is not important
  until quantum computers become practical; there's no danger of
  retroactive forgery in sessions that have already completed.

- As a stateful signature schemes, XMSS is qualitatively different
  from all the other ones sshd supports, requiring additional
  administrative care: roll back the state (e.g., from a disk backup
  or VM snapshot), and you've shot yourself in the foot.

If users want XMSS keys, they can make them explicitly, but there's
no need for this to be enabled by default.

Discussed with christos offline.

diffstat:

 etc/rc.d/sshd |  3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diffs (19 lines):

diff -r 642d31d6bbef -r 647446a0b02f etc/rc.d/sshd
--- a/etc/rc.d/sshd     Sat May 26 18:57:35 2018 +0000
+++ b/etc/rc.d/sshd     Sat May 26 19:18:11 2018 +0000
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $NetBSD: sshd,v 1.28 2018/05/26 00:17:54 jmcneill Exp $
+# $NetBSD: sshd,v 1.29 2018/05/26 19:18:11 riastradh Exp $
 #
 
 # PROVIDE: sshd
@@ -37,7 +37,6 @@
 ecdsa  521     ssh_host_ecdsa_key      1       ECDSA
 ed25519        -1      ssh_host_ed25519_key    1       ED25519
 rsa    0       ssh_host_rsa_key        2       RSA
-xmss   0       ssh_host_xmss_key       1       XMSS
 _EOF
 )
 }