Bug 38711 - Make SSH key length configurable through UCR
Make SSH key length configurable through UCR
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SSH
UCS 4.0
Other Linux
: P5 enhancement (vote)
: UCS 4.0-3-errata
Assigned To: Philipp Hahn
Daniel Tröder
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-15 12:58 CEST by Michael Grandjean
Modified: 2015-09-01 11:54 CEST (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2015-06-15 12:58:58 CEST
Currently the RSA key used for SSH defaults to 2048 bits. It should be possible to adjust this to e.g. 4096 bits.

AFAIS the keys are generated when installing "openssh-server". Instead of patching the debian package, we might just adjust "univention-openssh-recreate-host-keys" to recreate the keys with the desired key length?
This could then become a part of a SDB article or an UCS security guide (Bug#37877).
Comment 1 Philipp Hahn univentionstaff 2015-08-27 11:34:55 CEST
r63289 | Bug #38711 ssh: Configure SSH host key bits
r63284 | Bug #38711 ssh: Configure SSH host key bits
 ucr set sshd/HostKey/rsa=4096
 univention-openssh-recreate-host-keys

Package: univention-ssh
Version: 6.0.0-2.47.201508271121
Branch: ucs_4.0-0
Scope: errata4.0-3

Package: univention-ssh
Version: 7.0.0-1.46.201508271118
Branch: ucs_4.1-0

r63291 | Bug #38609,Bug #38709,Bug #38710,Bug #38711: ssh
 2015-08-27-univention-ssh.yaml
Comment 2 Daniel Tröder univentionstaff 2015-08-28 18:30:19 CEST
If a user specifies an invalid key size the script aborts after having moved the keys away and leaves the user without ssh keys - a broken system.

Please modify the script in a way that at least one of the active keys (sshd/HostKey) is available at all times / changed atomically / exists after the script ran.
Comment 3 Philipp Hahn univentionstaff 2015-08-30 16:35:21 CEST
r63341 | Bug #38711 ssh: Configure SSH host key bits
 Continue in case of errors
r63342 | Bug #38711 ssh: Configure SSH host key bits

Package: univention-ssh
Version: 6.0.0-3.48.201508301608
Branch: ucs_4.0-0
Scope: errata4.0-3

Package: univention-ssh
Version: 7.0.0-2.49.201508301610
Branch: ucs_4.1-0

r63343 | Bug #38711 ssh: Configure SSH host key bits YAML
 2015-08-27-univention-ssh.yaml
Comment 4 Daniel Tröder univentionstaff 2015-08-31 09:12:11 CEST
OK: code
OK: yaml
OK: manual test of UCRV sshd/HostKey/.* and /usr/sbin/univention-openssh-recreate-host-keys
Comment 5 Janek Walkenhorst univentionstaff 2015-09-01 11:54:10 CEST
<http://errata.univention.de/ucs/4.0/294.html>