I has been brought to our attention that the host keys created by the default
SSH daemon configuration are too weak.
Fix:
If you don't care about compatibility with old and broken software:
services.openssh.hostKeyType = ecdsa521;
Otherwise:
services.openssh.hostKeyType = rsa3072;
Or raise an exception unless a new option such as
allowWeakKeyTypes is set to true.
There is a way to write assertions, grep for assertion in nixos.
I'd like to to see such issues treated seriously and force the right
thing unless the admin really opts out.
Marc Weber
I am in favor of changing the default key type to something stronger
than 1024 bit DSA for newly generated keys.
I do not want any of my existing keys re-generated or replaced, though.
Can the change in NixOS be made in such a way that accomplishs this?
Peter
Hi,
On 23/08/13 18:05, Peter Simons wrote:
I am in favor of changing the default key type to something stronger
than 1024 bit DSA for newly generated keys.
I do not want any of my existing keys re-generated or replaced, though.
Can the change in NixOS be made in such a way that
I currently only have an ecdsa host key and would like to keep it that way.
This patch would give me a dsa key too which I don't want.
On Fri, Aug 23, 2013 at 7:28 PM, Eelco Dolstra
eelco.dols...@logicblox.com wrote:
Hi,
On 23/08/13 18:05, Peter Simons wrote:
I am in favor of changing the
I has been brought to our attention that the host keys created by the
default SSH daemon configuration are too weak.
Citation needed please. According to who are DSA keys bad? OpenSSH's own
make host-key installs a DSA key (in addition to RSA and ECDSA keys).
Section 2.1: 1024bit keys
Hi,
On 23/08/13 20:25, Mathijs Kwik wrote:
I currently only have an ecdsa host key and would like to keep it that way.
This patch would give me a dsa key too which I don't want.
The ssh client prefers ECDSA host keys over DSA keys so I don't think this is a
big deal. But we could have an
Hi,
On 23/08/13 20:29, phree...@yandex.ru wrote:
I has been brought to our attention that the host keys created by the
default SSH daemon configuration are too weak.
Citation needed please. According to who are DSA keys bad? OpenSSH's own
make host-key installs a DSA key (in addition to
There probably is some MITM trick to force DSA.
That will then indeed lead to a host changed warning in case the
client has never used the dsa key before, so it probably won't hurt
indeed.
But an option to disable it would be better. Kind of like the
hostKeyType we have now :)
On Fri, Aug 23,
I has been brought to our attention that the host keys created by the
default SSH daemon configuration are too weak.
Citation needed please. According to who are DSA keys bad? OpenSSH's
own
make host-key installs a DSA key (in addition to RSA and ECDSA keys).
Section 2.1:
Hi,
On 23/08/13 20:43, phree...@yandex.ru wrote:
On 23/08/13 20:25, Mathijs Kwik wrote:
I currently only have an ecdsa host key and would like to keep it that
way.
This patch would give me a dsa key too which I don't want.
The ssh client prefers ECDSA host keys over DSA keys so I don't
Looks good. Thanks!
The ssh client prefers ECDSA host keys over DSA keys so I don't think
this
is a big deal. But we could have an option to enable/disable generation
of
DSA keys.
I'd keep the path to the host keys configurable, maybe bump key sizes a
little.
Okay, I've now
12 matches
Mail list logo
