[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#823827: openssh-server: Should probably no longer generate DSA host keys on new installs

On Mon, May 09, 2016 at 01:39:10PM +0200, Santiago Vila wrote:
> Since the ssh client no longer wants to connect to a server which has
> only a DSA key, because it's considered obsolete and not secure enough,
> the logical thing to do for the Debian openssh-server package would be
> to stop generating such keys on new systems as well.

Thanks for this patch.  Mostly applied, though see below:

> @@ -114,8 +113,6 @@ create_keys() {
>  	create_key "Creating SSH2 RSA key; this may take some time ..." \
>  		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
> -	create_key "Creating SSH2 DSA key; this may take some time ..." \
> -		"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
>  	create_key "Creating SSH2 ECDSA key; this may take some time ..." \
>  		"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
>  	create_key "Creating SSH2 ED25519 key; this may take some time ..." \

I think it makes sense to omit this hunk of the patch for now.  Not
listing the keys in host_keys_required's defaults or in the
default-generated configuration file should be enough for now, and if a
host key is in fact explicitly listed in the configuration file then we
should IMO still generate it.


Colin Watson                                       [cjwatson@debian.org]

Reply to: