Bug#710853: openssh-server: ssh server keys creation

[Christoph Anton Mitterer <calestyo@scientia.org>]

On Tue, 2025-12-02 at 10:58 +0000, Colin Watson wrote:
> This seems probably reasonable.  The only thing I was wondering was 
> whether there were any (minor) privacy implications to recording that
> information?  I guess not but I'm not certain.

Well, I guess there *might* be, but only if someone hands out the
public keys somehow (and than he should know what he's doing?!).

Or is the comment ever transmitted as part of the protocol? Maybe as
part of the hostkeys@openssh.com" protocol extension?

But even then, to use that an "attacker" would likely already know the
host anyway.


In general I think Debian should also consider privacy (and e.g.
disable things like programs automatically using gravatar or so, per
default).... but this here would seem very minor to me.
But I'd also be fine if you'd object.


Maybe one could make the host keys' comments a debconf question of very
low priority, which defaults to the user@fqdn, but gives a warning that
this might leak the name?



Cheers,
Chris.