Bug#1094246: openssh-server: postinst: please implement ssh-audit recommended keygen options
Hello both,
su 26.1.2025 klo 19.35 Daniel Baumann (daniel@debian.org) kirjoitti:
> On 1/26/25 16:21, Colin Watson wrote:
> > 3072-bit RSA seems like a fine default at the moment,
> > and I expect that Debian will follow future changes made upstream.
>
> while I fully agree and don't think that the debian package should
> divert from upstream here, as an admin I do use different defaults for
> systems I maintain.
>
> From a config management point of view, this is very cumbersome as the
> postinst do re-create missing things/fallback to upstream defaults.
>
> To make it nicer for admins to locally deviate from the defaults.. how
> about internal preseed option(s) not shown to the user to select
> host-keys to be generated? Would you accept patches for this?
I have noticed this as well e.g. whenever Debian ships a new
openssh-server package, I've had to manually run the command shown on
the hardening guide to remove modulus below 3272-bit all over again.
For what it's worth, I fully agree with Colin that some of Joe Testa's
recommended hardening measures lack proper justification. Damien
Miller noticed the same thing, when I recently asked him to comment on
the recommendations.
I however think that Daniel's proposal for a patch that better takes
into consideration possible local deviations from Debian defaults
might be a good compromise between adopting 'ssh-audit' paranoia for
the Debian package and letting administrators adopt them if they wish.
Martin-Éric
Reply to: