I has been brought to our attention that the host keys created by the default SSH daemon configuration are too weak.
Fix: If you don't care about compatibility with old and broken software: services.openssh.hostKeyType = "ecdsa521"; Otherwise: services.openssh.hostKeyType = "rsa3072"; Attempts to log into the host will cause SSH to complain about the key change. If you had anything that relies on passwordless logins, it will break. I have added a check for weak keys to sshd startup script: f8a6fa774e4e0e31c1bfdbd73bffd2d2dfa2e5d2 I'll wait a couple of days and then change the hostKeyType default. Or maybe it should be done sooner? _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
