[Cloud-packages] Bug#864055: bootstrap-vz: Should generate ed25519 host keys, should not generate dsa host keys

Santiago Vila sanvila at unex.es
Sat Jun 3 17:33:09 UTC 2017

Package: bootstrap-vz
Version: 0.9.10+20170110git-1
Tags: patch

Dear maintainer:

The host keys generated by default on new systems by openssh-server
are rsa, ecdsa and ed25519.

Since this package will be used to generate images for Debian 9,
it should ideally generate the same set of keys.

I discovered this after upgrading a GCE machine to stretch
and modifying sshd_server to be closer to the Debian 9 default.
What happened is that even if I removed the DSA keys, they were
generated again. Thanks to codesearch.debian.net it was easy
to check where this came from.

Trivial patch follows.

[ If possible, please consider a freeze exception for this ]


--- a/bootstrapvz/common/assets/init.d/generate-ssh-hostkeys
+++ b/bootstrapvz/common/assets/init.d/generate-ssh-hostkeys
@@ -14,23 +14,23 @@ prog=$(basename $0)
 logger="logger -t $prog"
 # Exit if the hostkeys already exist
-if [ -f $rsa_key -a -f $dsa_key -a -f $ecdsa_key ]; then
+if [ -f $rsa_key -a -f $ed25519_key -a -f $ecdsa_key ]; then
 # Generate the ssh host keys
 [ -f $rsa_key ] || ssh-keygen -f $rsa_key -t rsa -C 'host' -N ''
-[ -f $dsa_key ] || ssh-keygen -f $dsa_key -t dsa -C 'host' -N ''
+[ -f $ed25519_key ] || ssh-keygen -f $ed25519_key -t dsa -C 'host' -N ''
 [ -f $ecdsa_key ] || ssh-keygen -f $ecdsa_key -t ecdsa -C 'host' -N ''
 # Output the public keys to the console
 # This allows user to get host keys securely through console log
 echo "-----BEGIN SSH HOST KEY FINGERPRINTS-----" | $logger
 ssh-keygen -l -f $rsa_key.pub | $logger
-ssh-keygen -l -f $dsa_key.pub | $logger
+ssh-keygen -l -f $ed25519_key.pub | $logger
 ssh-keygen -l -f $ecdsa_key.pub | $logger
 echo "------END SSH HOST KEY FINGERPRINTS------" | $logger

More information about the Cloud-packages mailing list