[Nix-dev] SECURITY: default SSH host keys are weak
Eelco Dolstra
eelco.dolstra at logicblox.com
Sat Aug 24 01:07:30 CEST 2013
Hi,
On 23/08/13 20:43, phreedom at yandex.ru wrote:
>> On 23/08/13 20:25, Mathijs Kwik wrote:
>>> I currently only have an ecdsa host key and would like to keep it that
>>> way.
>>> This patch would give me a dsa key too which I don't want.
>>
>> The ssh client prefers ECDSA host keys over DSA keys so I don't think this
>> is a big deal. But we could have an option to enable/disable generation of
>> DSA keys.
>
> I'd keep the path to the host keys configurable, maybe bump key sizes a little.
Okay, I've now pushed a commit that does this
(9771f0c96c87cf03519033df408ca309696a9469). It enables both ECDSA and DSA, but
you can turn off the DSA key by saying:
services.openssh.hostKeys =
[ { path = "/etc/ssh/ssh_host_ecdsa_key";
type = "ecdsa";
bits = 521;
}
];
If desired, we could also enable an RSA key by default.
--
Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
More information about the nix-dev
mailing list