GNU bug report logs - #35460
Self supplied SSH host keys

Previous Next

Package: guix;

Reported by: rendaw <7e9wc56emjakcm <at> s.rendaw.me>

Date: Sat, 27 Apr 2019 17:46:01 UTC

Severity: wishlist

Found in version 0.16.0

To reply to this bug, email your comments to 35460 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#35460; Package guix. (Sat, 27 Apr 2019 17:46:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to rendaw <7e9wc56emjakcm <at> s.rendaw.me>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sat, 27 Apr 2019 17:46:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: rendaw <7e9wc56emjakcm <at> s.rendaw.me>
To: submit <at> debbugs.gnu.org
Subject: Self supplied SSH host keys
Date: Sun, 28 Apr 2019 02:45:43 +0900

Package: guix
Version: 0.16.0
Severity: wishlist

In a disk-image the ssh host keys are generated anew every time the
system boots.  This is a significant security issue - the unknown host
warnings will cause notification blindness and users won't recognize if
the host is legitimately compromised.

There's a workaround involving mounting the disk image (losetup -fP &
mount) after building it and adding the files that way, but it requires
a patch to the openssh service activation procedure to re-reset the file
permissions (they're set to 644 or something by an earlier statement).
I can submit my patch if there's interest.

This is a wishlist bug though since it requires a method to add files
with sensitive contents to the system, which I made another ticket for
(35459).
This bug report was last modified 6 years and 46 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.