Bug#773192: disable DSA key generation by default

To: "Safar, Stefan" <Stefan.Safar@firma.seznam.cz>, 773192@bugs.debian.org
Subject: Bug#773192: disable DSA key generation by default
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 10 Sep 2019 15:04:50 +0100
Message-id: <[🔎] 20190910140449.GC3829@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 773192@bugs.debian.org
In-reply-to: <0365A8C8B695424B8664BA70FABCF75443612F86@exchdb01.kancelar.seznam.cz>
References: <0365A8C8B695424B8664BA70FABCF75443612F86@exchdb01.kancelar.seznam.cz> <0365A8C8B695424B8664BA70FABCF75443612F86@exchdb01.kancelar.seznam.cz>

On Mon, Dec 15, 2014 at 12:49:40PM +0000, Safar, Stefan wrote:
>    Version: all

The version is relevant - you can't just say "all".  What version did
you encounter this bug in?

>    During installation (or maybe the first startup, i’m not sure), the
>    openssh-server generates 1024bit DSA keys.

As far as I can tell, no, it doesn't.  In a fresh unstable chroot:

  # apt install openssh-server
  [...]
  Setting up openssh-server (1:8.0p1-6) ...
  
  Creating config file /etc/ssh/sshd_config with new version
  Creating SSH2 RSA key; this may take some time ...
  3072 SHA256:CTOaHgFdYim5rV+9TsQNjcxXnghR4n0R7MQT0VkxClY root@niejwein (RSA)
  Creating SSH2 ECDSA key; this may take some time ...
  256 SHA256:yxBciZ3liGRuAIlZl0r06z0q4PWZJoQNd9/4yMwm/10 root@niejwein (ECDSA)
  Creating SSH2 ED25519 key; this may take some time ...
  256 SHA256:uAi+rvto2sRR7+OIM9tP5RWqVW1/M1elBv0Rchnw4Js root@niejwein (ED25519)
  [...]
  # ls -l /etc/ssh
  total 596
  -rw-r--r-- 1 root root 577325 Aug 28 10:53 moduli
  -rw-r--r-- 1 root root   1565 Aug 28 10:53 ssh_config
  -rw------- 1 root root    505 Sep 10 14:59 ssh_host_ecdsa_key
  -rw-r--r-- 1 root root    175 Sep 10 14:59 ssh_host_ecdsa_key.pub
  -rw------- 1 root root    399 Sep 10 14:59 ssh_host_ed25519_key
  -rw-r--r-- 1 root root     95 Sep 10 14:59 ssh_host_ed25519_key.pub
  -rw------- 1 root root   2602 Sep 10 14:59 ssh_host_rsa_key
  -rw-r--r-- 1 root root    567 Sep 10 14:59 ssh_host_rsa_key.pub
  -rw-r--r-- 1 root root   3250 Aug 28 10:53 sshd_config

The packaging will only generate a DSA host key if you have a HostKey
line in /etc/ssh/sshd_config which explicitly requires it; there is no
such line in the default configuration.

>    This bug is somehow related to
>    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481133 , but it’s not a
>    duplicate.

However, I think it likely is a duplicate of #823827, which was fixed in
1:7.2p2-6 (before stretch).  This is why it's relevant which version you
encountered this bug in and whether you have any local customisations,
because if it's a more recent version than that then we need to
investigate further.

Regards,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Prev by Date: Bug#877020: Acknowledgement (openssh-client: Fails to unlink ControlMaster socket early enough, confuses other clients)
Next by Date: Bug#773192: marked as done (disable DSA key generation by default)
Previous by thread: Bug#877020: Acknowledgement (openssh-client: Fails to unlink ControlMaster socket early enough, confuses other clients)
Next by thread: Bug#773192: marked as done (disable DSA key generation by default)
Index(es):
- Date
- Thread