Package: openssh-server Version: 1:4.7p1-9 Severity: important The recent update has two big problems: 1) Yes it tells the admin that it will replace the host key, but does not allow him to stop and do that step later. 2) It disables weak keys without further notice.
This was both documented in the DSA, however only about 30000 admins will read that and as such cannot be considered an information source that reaches everyone. Suggestions: * Add a notice to NEWS.Debian. (Suggestion from Nico Golde.) * Make "no" an option on replacing the host key. * Ask whether weak keys should be disabled. Especially the last point can result in the admin locking himself out of the system which is bad. Even if this is a users fault this behaviour is not nice and Debian's priority should by policy be its users. Helmut PS: No, I did not encounter this problem by myself. ;-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
