Bug#852400: openssh-server: Strategy used for HostKey options in sshd_config
On Tue, Jan 24, 2017 at 09:40:10AM +0100, Santiago Vila wrote:
> File /etc/ssh/sshd_config says:
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options override the
> # default value.
>
> but this is a little bit confusing for "HostKey". The default in stretch
> (once the version in unstable propagates to testing) will be like this:
>
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_ecdsa_key
> #HostKey /etc/ssh/ssh_host_ed25519_key
>
> The reasonable behaviour, I think, is that if I uncomment one or more
> of those lines, then only the uncommented lines will be used and not
> the "default set", but based on the above comment it is not very clear
> that this is what will happen.
That is exactly what will happen.
> So: Would not be better to have those lines uncommented, for clarity?
This commentary is unchanged from the upstream sshd_config, apart from
deleting "#HostKey /etc/ssh/ssh_host_dsa_key". Would you mind
forwarding it upstream yourself, to https://bugzilla.mindrot.org/ ? (I
can do so if you can't, but my experience is that "discussion"-type bugs
work better when filed by the original reporter, since I don't then have
to try to channel your views or forward comments back and forward.)
> (This may also simplify the logic that handles upgrades, which in theory,
> should preserve user configuration from jessie).
I now just use ucf and leave that up to the sysadmin if there's anything
complicated, rather than trying to have custom logic to do it.
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply to: