Currently the RSA key used for SSH defaults to 2048 bits. It should be possible to adjust this to e.g. 4096 bits. AFAIS the keys are generated when installing "openssh-server". Instead of patching the debian package, we might just adjust "univention-openssh-recreate-host-keys" to recreate the keys with the desired key length? This could then become a part of a SDB article or an UCS security guide (Bug#37877).
r63289 | Bug #38711 ssh: Configure SSH host key bits r63284 | Bug #38711 ssh: Configure SSH host key bits ucr set sshd/HostKey/rsa=4096 univention-openssh-recreate-host-keys Package: univention-ssh Version: 6.0.0-2.47.201508271121 Branch: ucs_4.0-0 Scope: errata4.0-3 Package: univention-ssh Version: 7.0.0-1.46.201508271118 Branch: ucs_4.1-0 r63291 | Bug #38609,Bug #38709,Bug #38710,Bug #38711: ssh 2015-08-27-univention-ssh.yaml
If a user specifies an invalid key size the script aborts after having moved the keys away and leaves the user without ssh keys - a broken system. Please modify the script in a way that at least one of the active keys (sshd/HostKey) is available at all times / changed atomically / exists after the script ran.
r63341 | Bug #38711 ssh: Configure SSH host key bits Continue in case of errors r63342 | Bug #38711 ssh: Configure SSH host key bits Package: univention-ssh Version: 6.0.0-3.48.201508301608 Branch: ucs_4.0-0 Scope: errata4.0-3 Package: univention-ssh Version: 7.0.0-2.49.201508301610 Branch: ucs_4.1-0 r63343 | Bug #38711 ssh: Configure SSH host key bits YAML 2015-08-27-univention-ssh.yaml
OK: code OK: yaml OK: manual test of UCRV sshd/HostKey/.* and /usr/sbin/univention-openssh-recreate-host-keys
<http://errata.univention.de/ucs/4.0/294.html>