On Tue, Oct 05, 2021 at 09:21:33PM +1100, Trent W. Buck wrote: > Michael Prokop wrote: > > Nowadays™ with systemd we use our own ssh.service, which looks like that: > > > > > > https://github.com/grml/grml-live/blob/8078724d5fa78f0b8fe0471b94368c58f204ee11/etc/grml/fai/config/files/etc/systemd/system/ssh.service/GRMLBASE > > Can we (Debian, not GRML) please just add > ExecStartPre=ssh-keygen -A > to Debian's default ssh.service? > Is there any DOWNSIDE to doing that? > It appears to be fully idempotent.
I have always been extremely reluctant to do this because of the possible downsides explained in https://factorable.net/weakkeys12.extended.pdf. At the very least it requires lots of care to ensure that sufficient entropy is available; this can't be brushed off as something that we might be able to take care of later. -- Colin Watson (he/him) [cjwat...@debian.org]
