[Touch-packages] [Bug 1300133] Re: Generate ED25519 host keys on upgrade
openssh 1:7.4p1-5 just landed in zesty. Among the changes, from 1:7.4p1-1: * Start handling /etc/ssh/sshd_config using ucf. The immediate motivation for this is to deal with deprecations of options related to protocol 1, but something like this has been needed for a long time (closes: #419574, #848089): - sshd_config is now a slightly-patched version of upstream's, and only contains non-default settings (closes: #147201). - I've included as many historical md5sums of default versions of sshd_config as I could reconstruct from version control, but I'm sure I've missed some. - Explicitly synchronise the debconf database with the current configuration file state in openssh-server.config, to ensure that the PermitRootLogin setting is properly preserved. - UsePrivilegeSeparation now defaults to the stronger "sandbox" rather than "yes", per upstream. Switching to the upstream configuration file has the effect (if sshd_config was previously some stock version, or if the admin accepts the ucf-prompted changes) of commenting out all the HostKey lines, at which point sshd will default to a set including ed25519 and the postinst will generate that host key. I think that addresses this bug as thoroughly as is possible. ** Changed in: openssh (Ubuntu) Status: Confirmed => Fix Released ** Changed in: openssh (Ubuntu) Assignee: (unassigned) => Colin Watson (cjwatson) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1300133 Title: Generate ED25519 host keys on upgrade Status in openssh package in Ubuntu: Fix Released Bug description: openssh (1:6.5p1-1) unstable; urgency=medium ... * Generate ED25519 host keys on fresh installations. Upgraders who wish to add such host keys should manually add 'HostKey /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run 'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N "" -t ed25519'. ... -- Colin WatsonMon, 10 Feb 2014 14:58:26 + Most users and many administrators are not going to notice the new host key capabilities when it is buried in a changelog. We should at least give them a obvious hint about it. Even better would be to prompt the user to generate the keys with a debconf question like was recently done with the "Change to "PermitRootLogin without-password"". I would like to label this as a security vulnerability, but that may be a bit over the top, it would be a security improvement! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1300133/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1300133] Re: Generate ED25519 host keys on upgrade
I think this should be done to improve security, especially in light of the new key rotation feature coming in the next version: http://blog.djm.net.au/2015/02/key-rotation-in-openssh-68.html -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1300133 Title: Generate ED25519 host keys on upgrade Status in openssh package in Ubuntu: Confirmed Bug description: openssh (1:6.5p1-1) unstable; urgency=medium ... * Generate ED25519 host keys on fresh installations. Upgraders who wish to add such host keys should manually add 'HostKey /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run 'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N -t ed25519'. ... -- Colin Watson cjwat...@debian.org Mon, 10 Feb 2014 14:58:26 + Most users and many administrators are not going to notice the new host key capabilities when it is buried in a changelog. We should at least give them a obvious hint about it. Even better would be to prompt the user to generate the keys with a debconf question like was recently done with the Change to PermitRootLogin without-password. I would like to label this as a security vulnerability, but that may be a bit over the top, it would be a security improvement! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1300133/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1300133] Re: Generate ED25519 host keys on upgrade
Hi Charles, On 09/26/2014 01:03 AM, Charles Peters II wrote: # ssh-keygen -A ssh-keygen: generating new host keys: RSA1 ED25519 I don't think we want to add the old RSA1 keys, just the new ED25519. The old RSA1 keys won't be used unless you reference it in sshd_config so there should be no harm. Simon -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1300133 Title: Generate ED25519 host keys on upgrade Status in “openssh” package in Ubuntu: Confirmed Bug description: openssh (1:6.5p1-1) unstable; urgency=medium ... * Generate ED25519 host keys on fresh installations. Upgraders who wish to add such host keys should manually add 'HostKey /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run 'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N -t ed25519'. ... -- Colin Watson cjwat...@debian.org Mon, 10 Feb 2014 14:58:26 + Most users and many administrators are not going to notice the new host key capabilities when it is buried in a changelog. We should at least give them a obvious hint about it. Even better would be to prompt the user to generate the keys with a debconf question like was recently done with the Change to PermitRootLogin without-password. I would like to label this as a security vulnerability, but that may be a bit over the top, it would be a security improvement! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1300133/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1300133] Re: Generate ED25519 host keys on upgrade
# ssh-keygen -A ssh-keygen: generating new host keys: RSA1 ED25519 I don't think we want to add the old RSA1 keys, just the new ED25519. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1300133 Title: Generate ED25519 host keys on upgrade Status in “openssh” package in Ubuntu: Confirmed Bug description: openssh (1:6.5p1-1) unstable; urgency=medium ... * Generate ED25519 host keys on fresh installations. Upgraders who wish to add such host keys should manually add 'HostKey /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run 'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N -t ed25519'. ... -- Colin Watson cjwat...@debian.org Mon, 10 Feb 2014 14:58:26 + Most users and many administrators are not going to notice the new host key capabilities when it is buried in a changelog. We should at least give them a obvious hint about it. Even better would be to prompt the user to generate the keys with a debconf question like was recently done with the Change to PermitRootLogin without-password. I would like to label this as a security vulnerability, but that may be a bit over the top, it would be a security improvement! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1300133/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1300133] Re: Generate ED25519 host keys on upgrade
@cjwatson, IMHO running ssh-keygen -A and the accompanying restorecon if applicable should be done unconditionally in postinst. This way, the admin would be free to simply add the newer HostKey directives they want to use in sshd_config. More details about this suggestion in LP: #1005440 and LP: #1370523 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1300133 Title: Generate ED25519 host keys on upgrade Status in “openssh” package in Ubuntu: Confirmed Bug description: openssh (1:6.5p1-1) unstable; urgency=medium ... * Generate ED25519 host keys on fresh installations. Upgraders who wish to add such host keys should manually add 'HostKey /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run 'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N -t ed25519'. ... -- Colin Watson cjwat...@debian.org Mon, 10 Feb 2014 14:58:26 + Most users and many administrators are not going to notice the new host key capabilities when it is buried in a changelog. We should at least give them a obvious hint about it. Even better would be to prompt the user to generate the keys with a debconf question like was recently done with the Change to PermitRootLogin without-password. I would like to label this as a security vulnerability, but that may be a bit over the top, it would be a security improvement! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1300133/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1300133] Re: Generate ED25519 host keys on upgrade
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openssh (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1300133 Title: Generate ED25519 host keys on upgrade Status in “openssh” package in Ubuntu: Confirmed Bug description: openssh (1:6.5p1-1) unstable; urgency=medium ... * Generate ED25519 host keys on fresh installations. Upgraders who wish to add such host keys should manually add 'HostKey /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run 'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N -t ed25519'. ... -- Colin Watson cjwat...@debian.org Mon, 10 Feb 2014 14:58:26 + Most users and many administrators are not going to notice the new host key capabilities when it is buried in a changelog. We should at least give them a obvious hint about it. Even better would be to prompt the user to generate the keys with a debconf question like was recently done with the Change to PermitRootLogin without-password. I would like to label this as a security vulnerability, but that may be a bit over the top, it would be a security improvement! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1300133/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp