Bug#710853: openssh-server: ssh server keys creation

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#710853: openssh-server: ssh server keys creation
From: Christoph Anton Mitterer <calestyo@scientia.net>
Date: Mon, 03 Jun 2013 02:32:06 +0200
Message-id: <[🔎] 20130603003206.20548.67691.reportbug@heisenberg.scientia.net>
Reply-to: Christoph Anton Mitterer <calestyo@scientia.net>, 710853@bugs.debian.org

Package: openssh-server
Version: 1:6.2p2-3
Severity: wishlist


Hi.

With respect to the creation of SSH server keys in postinst, may I suggest the
following:
- not create ssh1 keys at all... actually I've never seen them auto-created,
  but code seems to be there
  This is mainly for security reasons... if someone really want's ssh1, he shoul
  manually create the keys.

- specify bit sizes
  Also for security reasons, use the highest bit sizes possible for the respective
  algorithm,... it should have basically no performance impact, and if someone
  really thinks he wants a weaker key,.. he still can manually create it
  That is
  rsa2: -b 4096
  dsa: -b 1024
  ecdsa: -b 521 (no typo)

- use the FQDN as comment
  I always found it handy to have the full hostname on the server keys as comment, i.e.
  -C "$(hostname -f)"
  without username, as e.g. root@$(hostname -f), would be the personal key of the user
  root.


Cheers,
Chris.

Reply to:

Prev by Date: openssh 1:6.2p2-3 MIGRATED to testing
Next by Date: Bug#711159: upgrade of openssh-server to 1:6.2p2-3 wants to uninstall file-rc in favor of sysv-rc
Previous by thread: openssh 1:6.2p2-3 MIGRATED to testing
Next by thread: Bug#711159: upgrade of openssh-server to 1:6.2p2-3 wants to uninstall file-rc in favor of sysv-rc
Index(es):
- Date
- Thread