Bug#710853: openssh-server: ssh server keys creation
Package: openssh-server
Version: 1:6.2p2-3
Severity: wishlist
Hi.
With respect to the creation of SSH server keys in postinst, may I suggest the
following:
- not create ssh1 keys at all... actually I've never seen them auto-created,
but code seems to be there
This is mainly for security reasons... if someone really want's ssh1, he shoul
manually create the keys.
- specify bit sizes
Also for security reasons, use the highest bit sizes possible for the respective
algorithm,... it should have basically no performance impact, and if someone
really thinks he wants a weaker key,.. he still can manually create it
That is
rsa2: -b 4096
dsa: -b 1024
ecdsa: -b 521 (no typo)
- use the FQDN as comment
I always found it handy to have the full hostname on the server keys as comment, i.e.
-C "$(hostname -f)"
without username, as e.g. root@$(hostname -f), would be the personal key of the user
root.
Cheers,
Chris.
Reply to: