stribika.github.io icon indicating copy to clipboard operation
stribika.github.io copied to clipboard

Published 20 hours ago verified publisher icon stribika

ssh-keygen systemd service fix

Open lejenome opened this issue 10 years ago • 7 comments

Sorry, I don't want to make anyone day bad, but just a note for systemd users. they can either mask the default ssh-keygen service which is named sshdgenkeys.service on ArchLinux:

ln -s /dev/null /etc/systemd/system/sshdgenkeys.service

or a better solution, is to create a custom service to override the default one and to rm bad keys and generate the other secure keys. I'm using this solution and that's my custom service /etc/systemd/system/sshdgenkeys.service

lejenome avatar Jan 12 '15 14:01 lejenome

What is wrong with keeping the keys while leaving only the ed25519 and rsa HostKey items in sshd_config? You can also make dsa and ecdsa world readable so that sshd ingore it.

pirj avatar Jan 19 '15 23:01 pirj

I don't think you should make them world readable, they have to be kept private. When you look at them later, you may not know how long they were readable and who, if anyone, actually read them. I'd move them somewhere else instead where no one can read them.

stribika avatar Jan 20 '15 01:01 stribika

You should make ecdsa and dsa world readable as most simple option to prevent sshd from using them. Even if they happen to be turned on in sshd_config, they won't even be used. Keep ed25519 and rsa 600.

pirj avatar Jan 20 '15 20:01 pirj

If you make them world readable, you must never use them again. The only reason I can see for keeping them is if you want to re-enable them later without changing your old fingerprint. But you will have to create new ones at that point because any user on your system may have read them.

mv may even be simpler than chmod but that's not the point. Don't make your private key public.

stribika avatar Jan 20 '15 23:01 stribika

The whole point of making them world readable is that they won't be re-generated. Do you get this simple reason for keeping them? In case they were used previously, they (ecdsa, dsa) MUST be re-generated and made world readable after that. Does it feels unsafe to you and why? Moving them somewhere else won't make the trick. Removing them will trigger their creation on next system start on some systems, and in case you forgot to disable them in sshd_config, ecdsa and dsa have the chance to be in the process. But not when they are world readable. In addition to making them world readable, it's also possible to wipe out their contents. Pretty sure this trick will work.

pirj avatar Jan 21 '15 06:01 pirj

The whole point of this systemd service is that :

  • when I setup a new Linux box and sync my configs and units, if I miss to disable these keys. this service will do this for me. And It will insure that rsa key is 4096 bits
  • If I make any misconfiguration on openssh on future or regenerate these weak keys, this service will fix it when enabling/restarting sshd.

But keeping these keys word readable, even it works, is still not recommended and any future misconfiguration or mistake may be even more dangerous.

lejenome avatar Jan 21 '15 12:01 lejenome

Creating empty world readable files are fine. This is somewhat similar to the broken symlink trick that used to be there but I removed it since the regenerated config files are not used.

https://github.com/stribika/stribika.github.io/commit/34efeba05752a2465bf25d05decab1b0a4dcb881

stribika avatar Jan 21 '15 13:01 stribika