[Nix-dev] SECURITY: default SSH host keys are weak

Aristid Breitkreuz aristidb at gmail.com
Fri Aug 23 17:02:34 CEST 2013


Just how weak are they, and why?
Am 23.08.2013 14:02 schrieb <phreedom at yandex.ru>:

> I has been brought to our attention that the host keys created by the
> default
> SSH daemon configuration are too weak.
>
> Fix:
>
> If you don't care about compatibility with old and broken software:
>   services.openssh.hostKeyType = "ecdsa521";
>
> Otherwise:
>   services.openssh.hostKeyType = "rsa3072";
>
> Attempts to log into the host will cause SSH to complain about the key
> change.
> If you had anything that relies on passwordless logins, it will break.
>
> I have added a check for weak keys to sshd startup script:
> f8a6fa774e4e0e31c1bfdbd73bffd2d2dfa2e5d2
>
> I'll wait a couple of days and then change the hostKeyType default. Or
> maybe
> it should be done sooner?
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20130823/2aaa6b4d/attachment.html 


More information about the nix-dev mailing list