@cjwatson, IMHO running "ssh-keygen -A" and the accompanying restorecon if applicable should be done unconditionally in postinst.
This way, the admin would be free to simply add the newer HostKey directives they want to use in sshd_config. More details about this suggestion in LP: #1005440 and LP: #1370523 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1300133 Title: Generate ED25519 host keys on upgrade Status in “openssh” package in Ubuntu: Confirmed Bug description: openssh (1:6.5p1-1) unstable; urgency=medium ... * Generate ED25519 host keys on fresh installations. Upgraders who wish to add such host keys should manually add 'HostKey /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run 'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N "" -t ed25519'. ... -- Colin Watson <cjwat...@debian.org> Mon, 10 Feb 2014 14:58:26 +0000 Most users and many administrators are not going to notice the new host key capabilities when it is buried in a changelog. We should at least give them a obvious hint about it. Even better would be to prompt the user to generate the keys with a debconf question like was recently done with the "Change to "PermitRootLogin without-password"". I would like to label this as a security vulnerability, but that may be a bit over the top, it would be a security improvement! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1300133/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
