touch-packages team mailing list archive

Thread
Date

[Bug 1300133] Re: Generate ED25519 host keys on upgrade

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Simon Déziel <1300133@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Sep 2014 20:12:47 -0000
Reply-to: Bug 1300133 <1300133@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

@cjwatson, IMHO running "ssh-keygen -A" and the accompanying restorecon
if applicable should be done unconditionally in postinst.

This way, the admin would be free to simply add the newer HostKey
directives they want to use in sshd_config. More details about this
suggestion in LP: #1005440 and LP: #1370523

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1300133

Title:
  Generate ED25519 host keys on upgrade

Status in “openssh” package in Ubuntu:
  Confirmed

Bug description:
  openssh (1:6.5p1-1) unstable; urgency=medium
    ...
    * Generate ED25519 host keys on fresh installations.  Upgraders who wish
      to add such host keys should manually add 'HostKey
      /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run
      'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N "" -t ed25519'.
     ...
  -- Colin Watson <cjwatson@xxxxxxxxxx>  Mon, 10 Feb 2014 14:58:26 +0000

  Most users and many administrators are not going to notice the new
  host key capabilities when it is buried in a changelog.  We should at
  least give them a obvious hint about it.

  Even better would be to prompt the user to generate the keys with a
  debconf question like was recently done with the "Change to
  "PermitRootLogin without-password"".

  I would like to label this as a security vulnerability, but that may
  be a bit over the top, it would be a security improvement!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1300133/+subscriptions