ssh key generated on install

Question

ssh key generated on install

Closed this issue 7 years ago · 9 comments

When installing raspbian, the installer generates a server ssh key that is of type ECDSA key (hosted on /etc/ssh/ssh_host_ecdsa_key).

ECDSA is known to be weak and vulnerable.

Is there a way to disable the following host key on install?

/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_ecdsa_key

This might be related to the official raspbian installer more than on raspbian-ua-netinst. This might also be related to the official debian installer. Please let me know if this is the case.

Answer 1 · 2018-03-07T00:55:25.000Z

It's not the installer(s). The ssh startup script generates keys when they aren't present, and it can be configured to limit the keys it will generate.

Answer 2 · 2018-03-07T11:36:26.000Z

How can you configure it in an unattended install mode?

Is the installed package openssh-server?

Answer 3 · 2018-03-07T12:10:26.000Z

there is no other way than an unattended install... and SSH will be enabled by default (as documented in the README file)
you can configure the installed system in post-install.txt, which is a normal shell script (it will be run using busybox's sh). again, this is documented in README.md (in the appropriate branch, of course, probably v1.1.x)

Answer 4 · 2018-03-07T14:28:39.000Z

Great, thanks @goranche for your answer.

And if I want to fix the problem upstream, where should I try fot fix it? In openssh-server?

Answer 5 · 2018-03-07T16:31:00.000Z

Could you please provide sources for your claim that

ECDSA is known to be weak and vulnerable.

As far as I known there are only issues concerning implementations of this algorithm.

Elliptic curves have one advantage that really has value on a pi in comparison to RSA. They are a lot faster.

If you want to go further with this issue the openssh project is the way to go: https://www.openssh.com/report.html
Could you please provide a link here, if you do?

Answer 6 · 2018-03-07T16:34:02.000Z

@oupala well, if you really feel there is something to fix (in regards to the SSH keys), yes, openssh would be the place to go...

but I don't think there is anything to fix, really 😉

I'm closing this issue for now... if you think there is more to be said, comment below, and there is always the option of reopening the issue 👍

Answer 7 · 2018-03-07T22:56:38.000Z

@BenjaminHae Here are the sources I used:

Sorry, these sources are in french!

It is said that ECDSA is linked to the NIST and hence should be disabled.

Answer 8 · 2018-03-08T07:31:43.000Z

This discussion is not related to the installer. Please take it to the appropriate location, as said before, the openssh project would be the right place to go.

Answer 9 · 2018-03-08T10:58:06.000Z

@goranche I agree with you. I was just replying to the question of @BenjaminHae.