hi!
However, using stock initramfs-tools, the keys then get placed into a world-readable initramfs, allowing any account on the server to extract the host keys directly:
you're right. but this is actually not an issue of the dropbear package. building the initramfs is done with update-initramfs which uses mkinitramfs, both are part of initramfs-tools. so i guess this bugreport should be moved to the package initramfs-tools. i know this can be done, but i haven't done that yet (and i'm not sure whether this can only be done by package maintainers) and i guess having somebody who knows what he's doing actually doing this is to be preferred... :) if i got that right, possible straightforward solutions would be preferably to change 'umask 0022' in line 3 of /usr/sbin/mkinitramfs to 'umask 0077', or to add 'chmod 600 "${outfile}"' before the last if-block in /usr/sbin/mkinitramfs if the umask shouldn't be changed for other reasons. regards, Chris -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org