[Bug 2662] New: Does it still make sense to use DSA host keys by default?
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Mon Jan 9 05:45:12 AEDT 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2662
Bug ID: 2662
Summary: Does it still make sense to use DSA host keys by
default?
Product: Portable OpenSSH
Version: 7.4p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: cjwatson at debian.org
Despite the fact that the client disables DSA support by default since
OpenSSH 7.0, the server still includes it in the implicit list of host
keys used if you don't specify any HostKey options at all (which is the
default behaviour in the stock sshd_config). This seems a bit odd.
Would you consider removing it from the list in
fill_default_server_options, thereby requiring people who really need
it to specify it manually? That would seem to be useful in further
discouraging the use of DSA.
Background for why I'm asking: https://bugs.debian.org/823827 requested
something similar, which at the time I handled only in the Debian
packaging scripts. Recently I switched to doing a better job of
upgrading server configuration files and using something much closer to
the stock upstream sshd_config, which has resulted in
https://bugs.debian.org/850614, so I'm considering patching this out of
fill_default_server_options given that the Debian packaging scripts
ensure that all necessary host keys are generated so something newer
should always be available; but it seems worth asking if you have
serious qualms about that approach.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list