Christoph Anton Mitterer <cales...@scientia.net> writes: > On Tue, 2015-01-06 at 18:52 +0200, Vasil Kolev wrote: > > - get openssh to generate 4096-bit RSA keys by default; > ... and disable DSA and RSA1 keys, which is possible if you name all > other "default" key explicitly in the config, like: > sshd_config: > HostKey /etc/ssh/ssh_host_ed25519_key > HostKey /etc/ssh/ssh_host_ecdsa_key > HostKey /etc/ssh/ssh_host_rsa_key > #Note: SSH Version 2 DSA host keys are implicitly disabled. > ##HostKey /etc/ssh/ssh_host_dsa_key > #Note: SSH Version 1 RSA host keys are implicitly disabled. > ##HostKey /etc/ssh/ssh_host_key
The problem with this approach is that you won't get any new keys onto your system in future openSSH versions that support them. So if we did this in Debian, then everyone would have to remember to update that list themselves on subsequent upgrades. And, we'd rather use upstream config where possible, I think. Regards, Matthew -- "At least you know where you are with Microsoft." "True. I just wish I'd brought a paddle." http://www.debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org