[Nix-dev] SECURITY: default SSH host keys are weak

Mathijs Kwik mathijs at bluescreen303.nl
Fri Aug 23 20:25:36 CEST 2013


I currently only have an ecdsa host key and would like to keep it that way.
This patch would give me a dsa key too which I don't want.

On Fri, Aug 23, 2013 at 7:28 PM, Eelco Dolstra
<eelco.dolstra at logicblox.com> wrote:
> Hi,
>
> On 23/08/13 18:05, Peter Simons wrote:
>
>> I am in favor of changing the default key type to something stronger
>> than 1024 bit DSA for newly generated keys.
>>
>> I do not want any of my existing keys re-generated or replaced, though.
>>
>> Can the change in NixOS be made in such a way that accomplishs this?
>
> We can just generate an ECDSA key in addition to the DSA key, which is in fact
> what upstream's "make host-key" does.  I suggest we apply the attached patch
> that does that.  It's completely backwards compatible in that it will generate
> an ECDSA host key on systems that don't have one, while clients that have the
> DSA key in their known_hosts will continue to use that.  (It also drops the
> configurability of the host key type since that doesn't support having multiple
> host keys.)
>
> --
> Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>


More information about the nix-dev mailing list