[Nix-dev] SECURITY: default SSH host keys are weak
Mathijs Kwik
mathijs at bluescreen303.nl
Fri Aug 23 20:39:48 CEST 2013
There probably is some MITM trick to force DSA.
That will then indeed lead to a "host changed" warning in case the
client has never used the dsa key before, so it probably won't hurt
indeed.
But an option to disable it would be better. Kind of like the
hostKeyType we have now :)
On Fri, Aug 23, 2013 at 8:36 PM, Eelco Dolstra
<eelco.dolstra at logicblox.com> wrote:
> Hi,
>
> On 23/08/13 20:25, Mathijs Kwik wrote:
>
>> I currently only have an ecdsa host key and would like to keep it that way.
>> This patch would give me a dsa key too which I don't want.
>
> The ssh client prefers ECDSA host keys over DSA keys so I don't think this is a
> big deal. But we could have an option to enable/disable generation of DSA keys.
>
> --
> Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
More information about the nix-dev
mailing list