Your message dated Tue, 10 Sep 2019 15:06:42 +0100 with message-id <[email protected]> and subject line Re: Bug#773192: disable DSA key generation by default has caused the Debian Bug report #773192, regarding disable DSA key generation by default to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 773192: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773192 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: openssh-server Version: all During installation (or maybe the first startup, i'm not sure), the openssh-server generates 1024bit DSA keys. This key length is no longer considered secure and therefore should be disabled, or created with a longer key length. However, not all SSH implementations support DSA keys longer than 1024 bits, so i suggest disabling DSA key generation. According to NIST, 1024 bit keys are disallowed after 2013, see: http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf This bug is somehow related to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481133 , but it's not a duplicate. Thank you, Stefan Safar
--- End Message ---
--- Begin Message ---Source: openssh Source-Version: 1:7.2p2-6 On Tue, Sep 10, 2019 at 03:04:49PM +0100, Colin Watson wrote: > However, I think it likely is a duplicate of #823827, which was fixed in > 1:7.2p2-6 (before stretch). This is why it's relevant which version you > encountered this bug in and whether you have any local customisations, > because if it's a more recent version than that then we need to > investigate further. Err, sorry, I didn't notice that yours was an older email that popped up at the end of my inbox due to a spam message in the same thread! In that case, this is fixed in 1:7.2p2-6 as follows: openssh (1:7.2p2-6) unstable; urgency=medium * debian/watch: Switch to HTTP (thanks, Nicholas Luedtke; closes: #822997). * Copy summary of supported SFTP protocol versions from upstream's PROTOCOL file into the openssh-sftp-server package description (closes: #766887). * Set SSH_PROGRAM=/usr/bin/ssh1 when building openssh-client-ssh1 so that scp1 works (reported by Olivier MATZ). * Retroactively add a NEWS.Debian entry for the UseDNS change in 6.9 (see LP #1588457). * CVE-2016-6210: Mitigate user enumeration via covert timing channel (closes: #831902). * Backport upstream patch to close ControlPersist background process stderr when not in debug mode or when logging to a file or syslog (closes: #714526). * Add a session cleanup script and a systemd unit file to trigger it, which serves to terminate SSH sessions cleanly if systemd doesn't do that itself, often because libpam-systemd is not installed (thanks, Vivek Das Mohapatra, Tom Hutter, and others; closes: #751636). * Stop generating DSA host keys by default (thanks, Santiago Vila; closes: #823827). -- Colin Watson <[email protected]> Fri, 22 Jul 2016 17:06:19 +0100 Thanks, -- Colin Watson [[email protected]]
--- End Message ---
