[Bug 246558] Re: ssh's init script should generate host keys if they're missing
How about if I key off whether GSSAPIKeyExchange is set? E.g. extend host_keys_required like so: hostkeys=$(get_config_option HostKey) if [ $hostkeys ]; then echo $hostkeys else if [ $(get_config_option GSSAPIKeyExchange) != yes ] then # No HostKey directives at all, so the server picks some # defaults depending on the setting of Protocol. [...] fi fi So, if the user has HostKeys set, those will be generated if they do not exist. If no HostKeys are set, and GSSAPIKeyExchange is set, we don't generate keys the user does not want. Will that make everyone happy? -- ssh's init script should generate host keys if they're missing https://bugs.launchpad.net/bugs/246558 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 246558] Re: ssh's init script should generate host keys if they're missing
The linked branch (untested) is what I have in mind. ** Branch linked: lp:~soren/ubuntu/lucid/openssh/generate-keys-on-boot -- ssh's init script should generate host keys if they're missing https://bugs.launchpad.net/bugs/246558 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 246558] Re: ssh's init script should generate host keys if they're missing
** Description changed: I imagine it's useful for other use cases as well, but for me at least it would be very helpful if openssh-server were to generate new host - keys none are to be found during boot. This makes it a no-brainer to + keys if none are found during boot. This makes it a no-brainer to distribute a virtual appliance without compromising security by sharing host keys on every single instance of them. I'll attach a patch shortly. -- ssh's init script should generate host keys if they're missing https://bugs.launchpad.net/bugs/246558 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 246558] Re: ssh's init script should generate host keys if they're missing
** Changed in: openssh (Ubuntu) Importance: Undecided = Low ** Changed in: openssh (Ubuntu) Status: New = Confirmed -- ssh's init script should generate host keys if they're missing https://bugs.launchpad.net/bugs/246558 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 246558] Re: ssh's init script should generate host keys if they're missing
Of course. Why should I keep them if I don't use them. -- ssh's init script should generate host keys if they're missing https://bugs.launchpad.net/bugs/246558 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 246558] Re: ssh's init script should generate host keys if they're missing
Well. It complains that it can't find any hostkeys when started (and when logging in) but it works perfectly well without hostkeys when using GSSAPI. As we are only allowing GSSAPI on most of our machines there is really no need for the hostkey as the host authenticity is established using the GSSAPI keytab. Actually, getting the question about authenticity and adding it to know_hosts is bogus as the host is validated by other means and the only allowed mechanism are gssapi-keyex are gssapi-with-mic which are not using the hostkeys and thus the login will fail anyway if you don't have any valid kerberos/gssapi key, but not until you have accepted the hostkey. If you have a valid key you don't get the question about host authenticity. In my opinion ssh should be patched not requiring hostkeys (when using only GSSAPI), instead of automatically generating hostkeys. Yes I think the keys are generated on installation, but you can always deleted them if you don't need them or if you don't want to share them, which is what this bug is about. sshd_config attached used together with the following ssh-config: ForwardX11 yes GSSAPIKeyExchange yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes PreferredAuthentications gssapi-keyex,gssapi-with-mic Protocol 2 Cipher blowfish SendEnv LANG LC_* StrictHostKeyChecking ask HashKnownHosts no ** Attachment added: sshd_config http://launchpadlibrarian.net/15940534/sshd_config -- ssh's init script should generate host keys if they're missing https://bugs.launchpad.net/bugs/246558 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 246558] Re: ssh's init script should generate host keys if they're missing
Attaching the patch as I originially intended it to look. I didn't know that not having hostkeys was valid (and am still rather surprised that's the case). Do you have an example sshd_config that doesn't use host keys? The documentation says it has defaults for HostKey, so even if they're not specified, I imagine it would use them anyway. ** Attachment added: The proposed patch http://launchpadlibrarian.net/15903169/ssh_regen_host_keys.diff -- ssh's init script should generate host keys if they're missing https://bugs.launchpad.net/bugs/246558 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 246558] Re: ssh's init script should generate host keys if they're missing
Host keys are not necessarily needed when running openssh-server, i.e when using GSSAPI/Kerberos, and it could actually be argued that it is a bug if they were generated automatically if not found. Please make it configurable if you want the keys to be generated and which keys you want to be generated. -- ssh's init script should generate host keys if they're missing https://bugs.launchpad.net/bugs/246558 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
