Package: bootstrap-vz
Version: 0.9.10+20170110git-1
Tags: patch
Dear maintainer:
The host keys generated by default on new systems by openssh-server
are rsa, ecdsa and ed25519.
Since this package will be used to generate images for Debian 9,
it should ideally generate the same set of keys.
I discovered this after upgrading a GCE machine to stretch
and modifying sshd_server to be closer to the Debian 9 default.
What happened is that even if I removed the DSA keys, they were
generated again. Thanks to codesearch.debian.net it was easy
to check where this came from.
Trivial patch follows.
[ If possible, please consider a freeze exception for this ]
Thanks.
--- a/bootstrapvz/common/assets/init.d/generate-ssh-hostkeys
+++ b/bootstrapvz/common/assets/init.d/generate-ssh-hostkeys
@@ -14,23 +14,23 @@ prog=$(basename $0)
logger="logger -t $prog"
rsa_key="/etc/ssh/ssh_host_rsa_key"
-dsa_key="/etc/ssh/ssh_host_dsa_key"
+ed25519_key="/etc/ssh/ssh_host_ed25519_key"
ecdsa_key="/etc/ssh/ssh_host_ecdsa_key"
# Exit if the hostkeys already exist
-if [ -f $rsa_key -a -f $dsa_key -a -f $ecdsa_key ]; then
+if [ -f $rsa_key -a -f $ed25519_key -a -f $ecdsa_key ]; then
exit
fi
# Generate the ssh host keys
[ -f $rsa_key ] || ssh-keygen -f $rsa_key -t rsa -C 'host' -N ''
-[ -f $dsa_key ] || ssh-keygen -f $dsa_key -t dsa -C 'host' -N ''
+[ -f $ed25519_key ] || ssh-keygen -f $ed25519_key -t dsa -C 'host' -N ''
[ -f $ecdsa_key ] || ssh-keygen -f $ecdsa_key -t ecdsa -C 'host' -N ''
# Output the public keys to the console
# This allows user to get host keys securely through console log
echo "-----BEGIN SSH HOST KEY FINGERPRINTS-----" | $logger
ssh-keygen -l -f $rsa_key.pub | $logger
-ssh-keygen -l -f $dsa_key.pub | $logger
+ssh-keygen -l -f $ed25519_key.pub | $logger
ssh-keygen -l -f $ecdsa_key.pub | $logger
echo "------END SSH HOST KEY FINGERPRINTS------" | $logger
