On Tue, Jul 07, 2015 at 10:52:52AM +0200, Clemens Gruber wrote: > what do you think about my recent OpenSSH patches (not the version bumps) but > enabling the sandbox per default (to use seccomp if available) and the switch > from DSA to Ed25519. ArchLinux and current Debian both generate Ed25519 > pubkeys > by default and add them as HostKey to sshd_config. > They keep DSA and ECDSA but as they fall apart completely if the random > numbers > used are not good, I am not sure this is a good idea for embedded systems > where > entropy is often very scarce. Ed25519 is not that sensitive to entropy > problems.
I looked at what Debian is doing, and I liked it: Basically, the postinst script checks the sshd_config and generated the needed keys. I think we can do the same in the ssh rc-once script. Then we can choose more restrictive defaults. Then those that need other keys just need to overwrite sshd_config in the BSP. Michael -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | -- ptxdist mailing list ptxdist@pengutronix.de