[Nix-dev] SECURITY: default SSH host keys are weak

Fri Aug 23 20:43:38 CEST 2013

В письме от Пятница 23 августа 2013 20:36:26 пользователь Eelco Dolstra 
написал:
> Hi,
> 
> On 23/08/13 20:25, Mathijs Kwik wrote:
> > I currently only have an ecdsa host key and would like to keep it that
> > way.
> > This patch would give me a dsa key too which I don't want.
> 
> The ssh client prefers ECDSA host keys over DSA keys so I don't think this
> is a big deal.  But we could have an option to enable/disable generation of
> DSA keys.

I'd keep the path to the host keys configurable, maybe bump key sizes a little. 
Otherwise, it should be fine. Unfortunately, the known hosts files can't be fixed 
and weaker keys will be used until users take action :(