Bug#823827: openssh-server: Should probably no longer generate DSA host keys on new installs
Package: openssh-server
Version: 1:7.2p2-5
Tags: patch
Hello Colin.
Since the ssh client no longer wants to connect to a server which has
only a DSA key, because it's considered obsolete and not secure enough,
the logical thing to do for the Debian openssh-server package would be
to stop generating such keys on new systems as well.
[ Did this check: On a sid system I disabled all host keys but DSA and
then was not able to ssh to localhost anymore ].
While we are at it, this change would also solve Bug #562593,
marked "important" (mips machine hangs at generating DSA2 key).
The attached patch may help, but I've not tested.
Thanks a lot.
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -81,7 +81,6 @@ host_keys_required() {
# No HostKey directives at all, so the server picks some
# defaults.
echo /etc/ssh/ssh_host_rsa_key
- echo /etc/ssh/ssh_host_dsa_key
echo /etc/ssh/ssh_host_ecdsa_key
echo /etc/ssh/ssh_host_ed25519_key
fi
@@ -114,8 +113,6 @@ create_keys() {
create_key "Creating SSH2 RSA key; this may take some time ..." \
"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
- create_key "Creating SSH2 DSA key; this may take some time ..." \
- "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
create_key "Creating SSH2 ECDSA key; this may take some time ..." \
"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
create_key "Creating SSH2 ED25519 key; this may take some time ..." \
@@ -173,7 +170,6 @@ Port 22
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
Reply to: