https://bugzilla.mindrot.org/show_bug.cgi?id=2662
Bug ID: 2662 Summary: Does it still make sense to use DSA host keys by default? Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-b...@mindrot.org Reporter: cjwat...@debian.org Despite the fact that the client disables DSA support by default since OpenSSH 7.0, the server still includes it in the implicit list of host keys used if you don't specify any HostKey options at all (which is the default behaviour in the stock sshd_config). This seems a bit odd. Would you consider removing it from the list in fill_default_server_options, thereby requiring people who really need it to specify it manually? That would seem to be useful in further discouraging the use of DSA. Background for why I'm asking: https://bugs.debian.org/823827 requested something similar, which at the time I handled only in the Debian packaging scripts. Recently I switched to doing a better job of upgrading server configuration files and using something much closer to the stock upstream sshd_config, which has resulted in https://bugs.debian.org/850614, so I'm considering patching this out of fill_default_server_options given that the Debian packaging scripts ensure that all necessary host keys are generated so something newer should always be available; but it seems worth asking if you have serious qualms about that approach. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs