Univention Bugzilla – Bug 38710
univention-openssh-recreate-host-keys doesn't recreate RSA1 keys
Last modified: 2015-09-01 11:54:04 CEST
univention-openssh-recreate-host-keys only recreates the DSA and the RSA key: > ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa > ssh-keygen -q -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa But there is also "/etc/ssh/ssh_host_key" which is a RSA1 key used for SSHv1. This one is NOT recreated and therefore stays the same. So, if you run "univention-openssh-recreate-host-keys" after a breach, you still have one vulnerable key left. Personally, I think we should just drop SSHv1 and RSA1 key support - see Bug#38709.
Created attachment 7024 [details] Recreates also RSAv1 if present, considers sshd/hostkeys/bits The attached version of univention-openssh-recreate-host-keys does the job. Not sure about the style, though.
r63288 | Bug #38710 ssh: Re-create all ssh host keys r63283 | Bug #38710 ssh: Re-create all ssh host keys "ecdsa" enabled, too All supported types are re-cerated Package: univention-ssh Version: 6.0.0-2.47.201508271121 Branch: ucs_4.0-0 Scope: errata4.0-3 Package: univention-ssh Version: 7.0.0-1.46.201508271118 Branch: ucs_4.1-0 r63291 | Bug #38609,Bug #38709,Bug #38710,Bug #38711: ssh 2015-08-27-univention-ssh.yaml
OK: code OK: 4.1 merge OK: YAML
<http://errata.univention.de/ucs/4.0/294.html>