Bug 38710 - univention-openssh-recreate-host-keys doesn't recreate RSA1 keys
univention-openssh-recreate-host-keys doesn't recreate RSA1 keys
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SSH
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-3-errata
Assigned To: Philipp Hahn
Daniel Tröder
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-15 12:51 CEST by Michael Grandjean
Modified: 2015-09-01 11:54 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
Recreates also RSAv1 if present, considers sshd/hostkeys/bits (2.63 KB, text/x-shellscript)
2015-07-13 23:21 CEST, Michael Grandjean
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2015-06-15 12:51:18 CEST
univention-openssh-recreate-host-keys only recreates the DSA and the RSA key:

> ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
> ssh-keygen -q -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa

But there is also "/etc/ssh/ssh_host_key" which is a RSA1 key used for SSHv1. This one is NOT recreated and therefore stays the same. So, if you run "univention-openssh-recreate-host-keys" after a breach, you still have one vulnerable key left.

Personally, I think we should just drop SSHv1 and RSA1 key support - see Bug#38709.
Comment 1 Michael Grandjean univentionstaff 2015-07-13 23:21:40 CEST
Created attachment 7024 [details]
Recreates also RSAv1 if present, considers sshd/hostkeys/bits

The attached version of univention-openssh-recreate-host-keys does the job. Not sure about the style, though.
Comment 2 Philipp Hahn univentionstaff 2015-08-27 11:36:26 CEST
r63288 | Bug #38710 ssh: Re-create all ssh host keys
r63283 | Bug #38710 ssh: Re-create all ssh host keys
 "ecdsa" enabled, too
 All supported types are re-cerated

Package: univention-ssh
Version: 6.0.0-2.47.201508271121
Branch: ucs_4.0-0
Scope: errata4.0-3

Package: univention-ssh
Version: 7.0.0-1.46.201508271118
Branch: ucs_4.1-0

r63291 | Bug #38609,Bug #38709,Bug #38710,Bug #38711: ssh
 2015-08-27-univention-ssh.yaml
Comment 3 Daniel Tröder univentionstaff 2015-08-28 18:05:21 CEST
OK: code
OK: 4.1 merge
OK: YAML
Comment 4 Janek Walkenhorst univentionstaff 2015-09-01 11:54:04 CEST
<http://errata.univention.de/ucs/4.0/294.html>