Generate ED25519 host keys on upgrade
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Medium
|
Colin Watson |
Bug Description
openssh (1:6.5p1-1) unstable; urgency=medium
...
* Generate ED25519 host keys on fresh installations. Upgraders who wish
to add such host keys should manually add 'HostKey
/etc/
'ssh-keygen -q -f /etc/ssh/
...
-- Colin Watson <email address hidden> Mon, 10 Feb 2014 14:58:26 +0000
Most users and many administrators are not going to notice the new host key capabilities when it is buried in a changelog. We should at least give them a obvious hint about it.
Even better would be to prompt the user to generate the keys with a debconf question like was recently done with the "Change to "PermitRootLogin without-password"".
I would like to label this as a security vulnerability, but that may be a bit over the top, it would be a security improvement!
Changed in openssh (Ubuntu): | |
importance: | Undecided → Medium |
I don't think it's possible to write a prompt about this that ordinary mortals will understand, and I'm not sure I'm comfortable with generating new host keys by default. I'd rather just leave this the way it is.