Self supplied SSH host keys

  • Open
  • quality assurance status badge
Details
One participant
  • rendaw
Owner
unassigned
Submitted by
rendaw
Severity
wishlist
R
R
rendaw wrote on 27 Apr 2019 19:45
(address . submit@debbugs.gnu.org)
e6456771-5f66-a032-a2e2-826295dd0a7a@s.rendaw.me
Package: guix
Version: 0.16.0
Severity: wishlist

In a disk-image the ssh host keys are generated anew every time the
system boots. This is a significant security issue - the unknown host
warnings will cause notification blindness and users won't recognize if
the host is legitimately compromised.

There's a workaround involving mounting the disk image (losetup -fP &
mount) after building it and adding the files that way, but it requires
a patch to the openssh service activation procedure to re-reset the file
permissions (they're set to 644 or something by an earlier statement).
I can submit my patch if there's interest.

This is a wishlist bug though since it requires a method to add files
with sensitive contents to the system, which I made another ticket for
(35459).
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 35460@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 35460
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch