Control: retitle -1 openssh-server: fine-tune server key creation
On Mon, Jun 03, 2013 at 02:32:06AM +0200, Christoph Anton Mitterer wrote:
With respect to the creation of SSH server keys in postinst, may I suggest the following: - not create ssh1 keys at all... actually I've never seen them auto-created, but code seems to be there This is mainly for security reasons... if someone really want's ssh1, he shoul manually create the keys.
Done in 1:7.1p2-2 (see #811265).
- specify bit sizes Also for security reasons, use the highest bit sizes possible for the respective algorithm,... it should have basically no performance impact, and if someone really thinks he wants a weaker key,.. he still can manually create it That is rsa2: -b 4096 dsa: -b 1024 ecdsa: -b 521 (no typo)
ssh-keygen's defaults are fine, especially nowadays that it defaults to 3072 bits for RSA keys. For the same sorts of reasons that I laid out in https://bugs.debian.org/1094246#10, I don't think it's necessary to override them here.
- use the FQDN as comment I always found it handy to have the full hostname on the server keys as comment, i.e. -C "$(hostname -f)" without username, as e.g. root@$(hostname -f), would be the personal key of the user root.
This seems probably reasonable. The only thing I was wondering was whether there were any (minor) privacy implications to recording that information? I guess not but I'm not certain.
-- Colin Watson (he/him) [[email protected]]
