Bug 38711

Summary: Make SSH key length configurable through UCR
Product: UCS Reporter: Michael Grandjean <grandjean>
Component: SSHAssignee: Philipp Hahn <hahn>
Status: CLOSED FIXED QA Contact: Daniel Tröder <troeder>
Severity: enhancement    
Priority: P5 CC: birkefeld, ebersbach, gohmann, walkenhorst
Version: UCS 4.0   
Target Milestone: UCS 4.0-3-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Michael Grandjean univentionstaff 2015-06-15 12:58:58 CEST 
Currently the RSA key used for SSH defaults to 2048 bits. It should be possible to adjust this to e.g. 4096 bits.

AFAIS the keys are generated when installing "openssh-server". Instead of patching the debian package, we might just adjust "univention-openssh-recreate-host-keys" to recreate the keys with the desired key length?
This could then become a part of a SDB article or an UCS security guide (Bug#37877).
Comment 1 Philipp Hahn univentionstaff 2015-08-27 11:34:55 CEST 
r63289 | Bug #38711 ssh: Configure SSH host key bits
r63284 | Bug #38711 ssh: Configure SSH host key bits
 ucr set sshd/HostKey/rsa=4096
 univention-openssh-recreate-host-keys

Package: univention-ssh
Version: 6.0.0-2.47.201508271121
Branch: ucs_4.0-0
Scope: errata4.0-3

Package: univention-ssh
Version: 7.0.0-1.46.201508271118
Branch: ucs_4.1-0

r63291 | Bug #38609,Bug #38709,Bug #38710,Bug #38711: ssh
 2015-08-27-univention-ssh.yaml
Comment 2 Daniel Tröder univentionstaff 2015-08-28 18:30:19 CEST 
If a user specifies an invalid key size the script aborts after having moved the keys away and leaves the user without ssh keys - a broken system.

Please modify the script in a way that at least one of the active keys (sshd/HostKey) is available at all times / changed atomically / exists after the script ran.
Comment 3 Philipp Hahn univentionstaff 2015-08-30 16:35:21 CEST 
r63341 | Bug #38711 ssh: Configure SSH host key bits
 Continue in case of errors
r63342 | Bug #38711 ssh: Configure SSH host key bits

Package: univention-ssh
Version: 6.0.0-3.48.201508301608
Branch: ucs_4.0-0
Scope: errata4.0-3

Package: univention-ssh
Version: 7.0.0-2.49.201508301610
Branch: ucs_4.1-0

r63343 | Bug #38711 ssh: Configure SSH host key bits YAML
 2015-08-27-univention-ssh.yaml
Comment 4 Daniel Tröder univentionstaff 2015-08-31 09:12:11 CEST 
OK: code
OK: yaml
OK: manual test of UCRV sshd/HostKey/.* and /usr/sbin/univention-openssh-recreate-host-keys
Comment 5 Janek Walkenhorst univentionstaff 2015-09-01 11:54:10 CEST 
<http://errata.univention.de/ucs/4.0/294.html>