[Bug 2662] New: Does it still make sense to use DSA host keys by default?

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Jan 9 05:45:12 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2662

            Bug ID: 2662
           Summary: Does it still make sense to use DSA host keys by
                    default?
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: cjwatson at debian.org

Despite the fact that the client disables DSA support by default since
OpenSSH 7.0, the server still includes it in the implicit list of host
keys used if you don't specify any HostKey options at all (which is the
default behaviour in the stock sshd_config).  This seems a bit odd. 
Would you consider removing it from the list in
fill_default_server_options, thereby requiring people who really need
it to specify it manually?  That would seem to be useful in further
discouraging the use of DSA.

Background for why I'm asking: https://bugs.debian.org/823827 requested
something similar, which at the time I handled only in the Debian
packaging scripts.  Recently I switched to doing a better job of
upgrading server configuration files and using something much closer to
the stock upstream sshd_config, which has resulted in
https://bugs.debian.org/850614, so I'm considering patching this out of
fill_default_server_options given that the Debian packaging scripts
ensure that all necessary host keys are generated so something newer
should always be available; but it seems worth asking if you have
serious qualms about that approach.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list