[Nix-dev] SECURITY: default SSH host keys are weak
phreedom at yandex.ru
phreedom at yandex.ru
Fri Aug 23 14:02:21 CEST 2013
I has been brought to our attention that the host keys created by the default
SSH daemon configuration are too weak.
Fix:
If you don't care about compatibility with old and broken software:
services.openssh.hostKeyType = "ecdsa521";
Otherwise:
services.openssh.hostKeyType = "rsa3072";
Attempts to log into the host will cause SSH to complain about the key change.
If you had anything that relies on passwordless logins, it will break.
I have added a check for weak keys to sshd startup script:
f8a6fa774e4e0e31c1bfdbd73bffd2d2dfa2e5d2
I'll wait a couple of days and then change the hostKeyType default. Or maybe
it should be done sooner?
More information about the nix-dev
mailing list