On Fri 2017-09-15 18:00:27 -0400, Daniel Kahn Gillmor wrote: > (c) I'm more reluctant about shipping openssh-server enabled by > default, for the same sort of forensics concerns i have in (a).
one more concern, actually, is ssh host key generation. I want to make sure that the debirf image doesn't have a secret key shipped in it. i think the right thing is to auto-generate an ed25519 key at service start time if it doesn't already exist, but i'm not sure the best way to make that happen. --dkg
signature.asc
Description: PGP signature