Bug#1094246: openssh-server: postinst: please implement ssh-audit recommended keygen options

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1094246: openssh-server: postinst: please implement ssh-audit recommended keygen options
From: Martin-Éric Racine <martin-eric.racine@iki.fi>
Date: Sun, 26 Jan 2025 15:56:29 +0200
Message-id: <[🔎] 173789978903.347439.11091873877476151441.reportbug@p8h61.internal>
Reply-to: Martin-Éric Racine <martin-eric.racine@iki.fi>, 1094246@bugs.debian.org

Package: openssh-server
Version: 1:9.9p1-3
Severity: important
X-Debbugs-Cc: martin-eric.racine@iki.fi

In its postinst, openssh-server currently generates host keys with upstream defaults. While there's nothing inherently wrong with that, a more proactive approach to strong cryptography might be desirable.

The homepage of the auditing tool 'ssh-audit' suggests [1] using the following keygen recipes instead:

ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" 

The key difference with upstream defaults (and openssh-server postinst) and the above is the enforcement of 4096-bit RSA keys.

It would be extremely desirable for Debian to implement this out of the box.

Thanks!
Martin-Éric

[1] https://www.sshaudit.com/hardening_guides.html#debian_12

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (x86_64)

Kernel: Linux 6.1.0-30-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), LANGUAGE=fi:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                    3.137
ii  debconf [debconf-2.0]      1.5.89
ii  init-system-helpers        1.68
ii  libaudit1                  1:4.0.2-2+b1
ii  libc6                      2.40-6
ii  libcom-err2                1.47.2-1
ii  libcrypt1                  1:4.4.38-1
ii  libgssapi-krb5-2           1.21.3-4
ii  libkrb5-3                  1.21.3-4
ii  libpam-modules             1.5.3-7+b1
ii  libpam-runtime             1.5.3-7
ii  libpam0g                   1.5.3-7+b1
ii  libselinux1                3.7-3+b1
ii  libssl3t64                 3.4.0-2
pn  libwrap0                   <none>
ii  openssh-client             1:9.9p1-3
pn  openssh-sftp-server        <none>
ii  procps                     2:4.0.4-6
pn  runit-helper               <none>
ii  sysvinit-utils [lsb-base]  3.13-1
ii  ucf                        3.0048
ii  zlib1g                     1:1.3.dfsg+really1.3.1-1+b1

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  257.2-3
pn  ncurses-term             <none>
ii  xauth                    1:1.1.2-1.1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

Reply to:

Follow-Ups:
- Bug#1094246: openssh-server: postinst: please implement ssh-audit recommended keygen options
  - From: Colin Watson <cjwatson@debian.org>
- Processed: Re: Bug#1094246: openssh-server: postinst: please implement ssh-audit recommended keygen options
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: tagging 130876, tagging 130876
Next by Date: Bug#1094246: openssh-server: postinst: please implement ssh-audit recommended keygen options
Previous by thread: Processed: tagging 130876, tagging 130876
Next by thread: Bug#1094246: openssh-server: postinst: please implement ssh-audit recommended keygen options
Index(es):
- Date
- Thread