Bug 1212020

Summary:	openssh: Stop creating DSA host keys
Product:	[openSUSE] openSUSE Tumbleweed	Reporter:	Jörg Sonnenberger <joerg>
Component:	Security	Assignee:	Hans Petter Jansson <hpj>
Status:	NEW ---	QA Contact:	E-mail List <qa-bugs>
Severity:	Minor
Priority:	P5 - None	CC:	Andreas.Stieger, meissner
Version:	Current
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Jörg Sonnenberger 2023-06-05 11:55:41 UTC

sshd has supported a number of public key algorithms to identify the host. DSA is one of the oldest and due to the key size nowadays considered plainly insecure, to the point that DSA user keys are disabled by default. There should be no need to create them by default as any client of the ssh2 protocol should support at least RSA with reasonable defaults.

Note: I'm not asking about removing existing keys, just that they are no longer created.

Comment 1 Andreas Stieger 2023-06-05 13:41:37 UTC

https://build.opensuse.org/package/view_file/network/openssh/sshd-gen-keys-start?expand=1

> ssh-keygen -A