On Tue, Jul 14, 2015 at 12:03:47PM +0200, Michael Olbrich wrote: > On Tue, Jul 07, 2015 at 10:52:52AM +0200, Clemens Gruber wrote: > > what do you think about my recent OpenSSH patches (not the version bumps) > > but > > enabling the sandbox per default (to use seccomp if available) and the > > switch > > from DSA to Ed25519. ArchLinux and current Debian both generate Ed25519 > > pubkeys > > by default and add them as HostKey to sshd_config. > > They keep DSA and ECDSA but as they fall apart completely if the random > > numbers > > used are not good, I am not sure this is a good idea for embedded systems > > where > > entropy is often very scarce. Ed25519 is not that sensitive to entropy > > problems. > > I looked at what Debian is doing, and I liked it: Basically, the postinst > script checks the sshd_config and generated the needed keys. I think we can > do the same in the ssh rc-once script. > Then we can choose more restrictive defaults. Then those that need other > keys just need to overwrite sshd_config in the BSP. > > Michael
Hi Michael, what do you think about my recent patch (openssh: improve rc.once.d script and harden sshd_config) from July 17th? I tried to follow what Debian is doing for key generation and I also hardened the default config. Regards, Clemens -- ptxdist mailing list ptxdist@pengutronix.de