Bug#823827: openssh-server: Should probably no longer generate DSA host keys on new installs
On Mon, May 09, 2016 at 01:39:10PM +0200, Santiago Vila wrote:
> Since the ssh client no longer wants to connect to a server which has
> only a DSA key, because it's considered obsolete and not secure enough,
> the logical thing to do for the Debian openssh-server package would be
> to stop generating such keys on new systems as well.
Thanks for this patch. Mostly applied, though see below:
> @@ -114,8 +113,6 @@ create_keys() {
>
> create_key "Creating SSH2 RSA key; this may take some time ..." \
> "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
> - create_key "Creating SSH2 DSA key; this may take some time ..." \
> - "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
> create_key "Creating SSH2 ECDSA key; this may take some time ..." \
> "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
> create_key "Creating SSH2 ED25519 key; this may take some time ..." \
I think it makes sense to omit this hunk of the patch for now. Not
listing the keys in host_keys_required's defaults or in the
default-generated configuration file should be enough for now, and if a
host key is in fact explicitly listed in the configuration file then we
should IMO still generate it.
Cheers,
--
Colin Watson [cjwatson@debian.org]
Reply to: