Hello both, su 26.1.2025 klo 19.35 Daniel Baumann ([email protected]) kirjoitti: > On 1/26/25 16:21, Colin Watson wrote: > > 3072-bit RSA seems like a fine default at the moment, > > and I expect that Debian will follow future changes made upstream. > > while I fully agree and don't think that the debian package should > divert from upstream here, as an admin I do use different defaults for > systems I maintain. > > From a config management point of view, this is very cumbersome as the > postinst do re-create missing things/fallback to upstream defaults. > > To make it nicer for admins to locally deviate from the defaults.. how > about internal preseed option(s) not shown to the user to select > host-keys to be generated? Would you accept patches for this?
I have noticed this as well e.g. whenever Debian ships a new openssh-server package, I've had to manually run the command shown on the hardening guide to remove modulus below 3272-bit all over again. For what it's worth, I fully agree with Colin that some of Joe Testa's recommended hardening measures lack proper justification. Damien Miller noticed the same thing, when I recently asked him to comment on the recommendations. I however think that Daniel's proposal for a patch that better takes into consideration possible local deviations from Debian defaults might be a good compromise between adopting 'ssh-audit' paranoia for the Debian package and letting administrators adopt them if they wish. Martin-Éric
