Bug#594175: openssh-server: support generation of ssh host keys in init script
On Tue, Oct 05, 2021 at 09:21:33PM +1100, Trent W. Buck wrote:
> Michael Prokop wrote:
> > Nowadays™ with systemd we use our own ssh.service, which looks like that:
> >
> > https://github.com/grml/grml-live/blob/8078724d5fa78f0b8fe0471b94368c58f204ee11/etc/grml/fai/config/files/etc/systemd/system/ssh.service/GRMLBASE
>
> Can we (Debian, not GRML) please just add
> ExecStartPre=ssh-keygen -A
> to Debian's default ssh.service?
> Is there any DOWNSIDE to doing that?
> It appears to be fully idempotent.
I have always been extremely reluctant to do this because of the
possible downsides explained in
https://factorable.net/weakkeys12.extended.pdf. At the very least it
requires lots of care to ensure that sufficient entropy is available;
this can't be brushed off as something that we might be able to take
care of later.
--
Colin Watson (he/him) [cjwatson@debian.org]
Reply to: