Univention Bugzilla – Bug 38711
Make SSH key length configurable through UCR
Last modified: 2015-09-01 11:54:10 CEST
Currently the RSA key used for SSH defaults to 2048 bits. It should be possible to adjust this to e.g. 4096 bits. AFAIS the keys are generated when installing "openssh-server". Instead of patching the debian package, we might just adjust "univention-openssh-recreate-host-keys" to recreate the keys with the desired key length? This could then become a part of a SDB article or an UCS security guide (Bug#37877).
r63289 | Bug #38711 ssh: Configure SSH host key bits r63284 | Bug #38711 ssh: Configure SSH host key bits ucr set sshd/HostKey/rsa=4096 univention-openssh-recreate-host-keys Package: univention-ssh Version: 6.0.0-2.47.201508271121 Branch: ucs_4.0-0 Scope: errata4.0-3 Package: univention-ssh Version: 7.0.0-1.46.201508271118 Branch: ucs_4.1-0 r63291 | Bug #38609,Bug #38709,Bug #38710,Bug #38711: ssh 2015-08-27-univention-ssh.yaml
If a user specifies an invalid key size the script aborts after having moved the keys away and leaves the user without ssh keys - a broken system. Please modify the script in a way that at least one of the active keys (sshd/HostKey) is available at all times / changed atomically / exists after the script ran.
r63341 | Bug #38711 ssh: Configure SSH host key bits Continue in case of errors r63342 | Bug #38711 ssh: Configure SSH host key bits Package: univention-ssh Version: 6.0.0-3.48.201508301608 Branch: ucs_4.0-0 Scope: errata4.0-3 Package: univention-ssh Version: 7.0.0-2.49.201508301610 Branch: ucs_4.1-0 r63343 | Bug #38711 ssh: Configure SSH host key bits YAML 2015-08-27-univention-ssh.yaml
OK: code OK: yaml OK: manual test of UCRV sshd/HostKey/.* and /usr/sbin/univention-openssh-recreate-host-keys
<http://errata.univention.de/ucs/4.0/294.html>