[Touch-packages] [Bug 1300133] Re: Generate ED25519 host keys on upgrade

2017-01-03 Thread Colin Watson 
openssh 1:7.4p1-5 just landed in zesty.  Among the changes, from
1:7.4p1-1:

  * Start handling /etc/ssh/sshd_config using ucf.  The immediate motivation
for this is to deal with deprecations of options related to protocol 1,
but something like this has been needed for a long time (closes:
#419574, #848089):
- sshd_config is now a slightly-patched version of upstream's, and only
  contains non-default settings (closes: #147201).
- I've included as many historical md5sums of default versions of
  sshd_config as I could reconstruct from version control, but I'm sure
  I've missed some.
- Explicitly synchronise the debconf database with the current
  configuration file state in openssh-server.config, to ensure that the
  PermitRootLogin setting is properly preserved.
- UsePrivilegeSeparation now defaults to the stronger "sandbox" rather
  than "yes", per upstream.

Switching to the upstream configuration file has the effect (if
sshd_config was previously some stock version, or if the admin accepts
the ucf-prompted changes) of commenting out all the HostKey lines, at
which point sshd will default to a set including ed25519 and the
postinst will generate that host key.  I think that addresses this bug
as thoroughly as is possible.

** Changed in: openssh (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: openssh (Ubuntu)
 Assignee: (unassigned) => Colin Watson (cjwatson)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1300133

Title:
  Generate ED25519 host keys on upgrade

Status in openssh package in Ubuntu:
  Fix Released

Bug description:
  openssh (1:6.5p1-1) unstable; urgency=medium
...
* Generate ED25519 host keys on fresh installations.  Upgraders who wish
  to add such host keys should manually add 'HostKey
  /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run
  'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N "" -t ed25519'.
 ...
  -- Colin Watson   Mon, 10 Feb 2014 14:58:26 +

  Most users and many administrators are not going to notice the new
  host key capabilities when it is buried in a changelog.  We should at
  least give them a obvious hint about it.

  Even better would be to prompt the user to generate the keys with a
  debconf question like was recently done with the "Change to
  "PermitRootLogin without-password"".

  I would like to label this as a security vulnerability, but that may
  be a bit over the top, it would be a security improvement!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1300133/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1300133] Re: Generate ED25519 host keys on upgrade

2015-02-01 Thread Josha Foust 
I think this should be done to improve security, especially in light of
the new key rotation feature coming in the next version:

http://blog.djm.net.au/2015/02/key-rotation-in-openssh-68.html

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1300133

Title:
  Generate ED25519 host keys on upgrade

Status in openssh package in Ubuntu:
  Confirmed

Bug description:
  openssh (1:6.5p1-1) unstable; urgency=medium
...
* Generate ED25519 host keys on fresh installations.  Upgraders who wish
  to add such host keys should manually add 'HostKey
  /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run
  'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N  -t ed25519'.
 ...
  -- Colin Watson cjwat...@debian.org  Mon, 10 Feb 2014 14:58:26 +

  Most users and many administrators are not going to notice the new
  host key capabilities when it is buried in a changelog.  We should at
  least give them a obvious hint about it.

  Even better would be to prompt the user to generate the keys with a
  debconf question like was recently done with the Change to
  PermitRootLogin without-password.

  I would like to label this as a security vulnerability, but that may
  be a bit over the top, it would be a security improvement!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1300133/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1300133] Re: Generate ED25519 host keys on upgrade

2014-09-26 Thread Simon Déziel 
Hi Charles,

On 09/26/2014 01:03 AM, Charles Peters II wrote:
 # ssh-keygen -A
 ssh-keygen: generating new host keys: RSA1 ED25519 
 
 I don't think we want to add the old RSA1 keys, just the new ED25519.

The old RSA1 keys won't be used unless you reference it in sshd_config
so there should be no harm.

Simon

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1300133

Title:
  Generate ED25519 host keys on upgrade

Status in “openssh” package in Ubuntu:
  Confirmed

Bug description:
  openssh (1:6.5p1-1) unstable; urgency=medium
...
* Generate ED25519 host keys on fresh installations.  Upgraders who wish
  to add such host keys should manually add 'HostKey
  /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run
  'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N  -t ed25519'.
 ...
  -- Colin Watson cjwat...@debian.org  Mon, 10 Feb 2014 14:58:26 +

  Most users and many administrators are not going to notice the new
  host key capabilities when it is buried in a changelog.  We should at
  least give them a obvious hint about it.

  Even better would be to prompt the user to generate the keys with a
  debconf question like was recently done with the Change to
  PermitRootLogin without-password.

  I would like to label this as a security vulnerability, but that may
  be a bit over the top, it would be a security improvement!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1300133/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1300133] Re: Generate ED25519 host keys on upgrade

2014-09-25 Thread Charles Peters II 
# ssh-keygen -A
ssh-keygen: generating new host keys: RSA1 ED25519 

I don't think we want to add the old RSA1 keys, just the new ED25519.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1300133

Title:
  Generate ED25519 host keys on upgrade

Status in “openssh” package in Ubuntu:
  Confirmed

Bug description:
  openssh (1:6.5p1-1) unstable; urgency=medium
...
* Generate ED25519 host keys on fresh installations.  Upgraders who wish
  to add such host keys should manually add 'HostKey
  /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run
  'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N  -t ed25519'.
 ...
  -- Colin Watson cjwat...@debian.org  Mon, 10 Feb 2014 14:58:26 +

  Most users and many administrators are not going to notice the new
  host key capabilities when it is buried in a changelog.  We should at
  least give them a obvious hint about it.

  Even better would be to prompt the user to generate the keys with a
  debconf question like was recently done with the Change to
  PermitRootLogin without-password.

  I would like to label this as a security vulnerability, but that may
  be a bit over the top, it would be a security improvement!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1300133/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1300133] Re: Generate ED25519 host keys on upgrade

2014-09-17 Thread Simon Déziel 
@cjwatson, IMHO running ssh-keygen -A and the accompanying restorecon
if applicable should be done unconditionally in postinst.

This way, the admin would be free to simply add the newer HostKey
directives they want to use in sshd_config. More details about this
suggestion in LP: #1005440 and LP: #1370523

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1300133

Title:
  Generate ED25519 host keys on upgrade

Status in “openssh” package in Ubuntu:
  Confirmed

Bug description:
  openssh (1:6.5p1-1) unstable; urgency=medium
...
* Generate ED25519 host keys on fresh installations.  Upgraders who wish
  to add such host keys should manually add 'HostKey
  /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run
  'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N  -t ed25519'.
 ...
  -- Colin Watson cjwat...@debian.org  Mon, 10 Feb 2014 14:58:26 +

  Most users and many administrators are not going to notice the new
  host key capabilities when it is buried in a changelog.  We should at
  least give them a obvious hint about it.

  Even better would be to prompt the user to generate the keys with a
  debconf question like was recently done with the Change to
  PermitRootLogin without-password.

  I would like to label this as a security vulnerability, but that may
  be a bit over the top, it would be a security improvement!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1300133/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1300133] Re: Generate ED25519 host keys on upgrade

2014-09-17 Thread Launchpad Bug Tracker 
Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: openssh (Ubuntu)
   Status: New = Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1300133

Title:
  Generate ED25519 host keys on upgrade

Status in “openssh” package in Ubuntu:
  Confirmed

Bug description:
  openssh (1:6.5p1-1) unstable; urgency=medium
...
* Generate ED25519 host keys on fresh installations.  Upgraders who wish
  to add such host keys should manually add 'HostKey
  /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run
  'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N  -t ed25519'.
 ...
  -- Colin Watson cjwat...@debian.org  Mon, 10 Feb 2014 14:58:26 +

  Most users and many administrators are not going to notice the new
  host key capabilities when it is buried in a changelog.  We should at
  least give them a obvious hint about it.

  Even better would be to prompt the user to generate the keys with a
  debconf question like was recently done with the Change to
  PermitRootLogin without-password.

  I would like to label this as a security vulnerability, but that may
  be a bit over the top, it would be a security improvement!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1300133/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp