[Nix-dev] SECURITY: default SSH host keys are weak
phreedom at yandex.ru
phreedom at yandex.ru
Sat Aug 24 05:18:53 CEST 2013
Looks good. Thanks!
> >> The ssh client prefers ECDSA host keys over DSA keys so I don't think
> >> this
> >> is a big deal. But we could have an option to enable/disable generation
> >> of
> >> DSA keys.
> >
> > I'd keep the path to the host keys configurable, maybe bump key sizes a
> > little.
> Okay, I've now pushed a commit that does this
> (9771f0c96c87cf03519033df408ca309696a9469). It enables both ECDSA and DSA,
> but you can turn off the DSA key by saying:
>
> services.openssh.hostKeys =
> [ { path = "/etc/ssh/ssh_host_ecdsa_key";
> type = "ecdsa";
> bits = 521;
> }
> ];
>
> If desired, we could also enable an RSA key by default.
More information about the nix-dev
mailing list