[Bug 1300133] Re: Generate ED25519 host keys on upgrade

[Colin Watson]

openssh 1:7.4p1-5 just landed in zesty.  Among the changes, from
1:7.4p1-1:

  * Start handling /etc/ssh/sshd_config using ucf.  The immediate motivation
    for this is to deal with deprecations of options related to protocol 1,
    but something like this has been needed for a long time (closes:
    #419574, #848089):
    - sshd_config is now a slightly-patched version of upstream's, and only
      contains non-default settings (closes: #147201).
    - I've included as many historical md5sums of default versions of
      sshd_config as I could reconstruct from version control, but I'm sure
      I've missed some.
    - Explicitly synchronise the debconf database with the current
      configuration file state in openssh-server.config, to ensure that the
      PermitRootLogin setting is properly preserved.
    - UsePrivilegeSeparation now defaults to the stronger "sandbox" rather
      than "yes", per upstream.

Switching to the upstream configuration file has the effect (if
sshd_config was previously some stock version, or if the admin accepts
the ucf-prompted changes) of commenting out all the HostKey lines, at
which point sshd will default to a set including ed25519 and the
postinst will generate that host key.  I think that addresses this bug
as thoroughly as is possible.

** Changed in: openssh (Ubuntu)
       Status: Confirmed => Fix Released

** Changed in: openssh (Ubuntu)
     Assignee: (unassigned) => Colin Watson (cjwatson)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1300133

Title:
  Generate ED25519 host keys on upgrade

Status in openssh package in Ubuntu:
  Fix Released

Bug description:
  openssh (1:6.5p1-1) unstable; urgency=medium
    ...
    * Generate ED25519 host keys on fresh installations.  Upgraders who wish
      to add such host keys should manually add 'HostKey
      /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run
      'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N "" -t ed25519'.
     ...
  -- Colin Watson <cjwatson at debian.org>  Mon, 10 Feb 2014 14:58:26 +0000

  Most users and many administrators are not going to notice the new
  host key capabilities when it is buried in a changelog.  We should at
  least give them a obvious hint about it.

  Even better would be to prompt the user to generate the keys with a
  debconf question like was recently done with the "Change to
  "PermitRootLogin without-password"".

  I would like to label this as a security vulnerability, but that may
  be a bit over the top, it would be a security improvement!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1300133/+subscriptions