On Mon, May 09, 2016 at 01:39:10PM +0200, Santiago Vila wrote: > Since the ssh client no longer wants to connect to a server which has > only a DSA key, because it's considered obsolete and not secure enough, > the logical thing to do for the Debian openssh-server package would be > to stop generating such keys on new systems as well.
Thanks for this patch. Mostly applied, though see below: > @@ -114,8 +113,6 @@ create_keys() { > > create_key "Creating SSH2 RSA key; this may take some time ..." \ > "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa > - create_key "Creating SSH2 DSA key; this may take some time ..." \ > - "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa > create_key "Creating SSH2 ECDSA key; this may take some time ..." \ > "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa > create_key "Creating SSH2 ED25519 key; this may take some time ..." \ I think it makes sense to omit this hunk of the patch for now. Not listing the keys in host_keys_required's defaults or in the default-generated configuration file should be enough for now, and if a host key is in fact explicitly listed in the configuration file then we should IMO still generate it. Cheers, -- Colin Watson [cjwat...@debian.org]