From unknown Thu Jun 12 08:38:06 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#35460 <35460@debbugs.gnu.org>
To: bug#35460 <35460@debbugs.gnu.org>
Subject: Status: Self supplied SSH host keys
Reply-To: bug#35460 <35460@debbugs.gnu.org>
Date: Thu, 12 Jun 2025 15:38:06 +0000

retitle 35460 Self supplied SSH host keys
reassign 35460 guix
submitter 35460 rendaw <7e9wc56emjakcm@s.rendaw.me>
severity 35460 wishlist

thanks


From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 27 13:45:54 2019
Received: (at submit) by debbugs.gnu.org; 27 Apr 2019 17:45:54 +0000
Received: from localhost ([127.0.0.1]:35965 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1hKROc-0002DS-0t
	for submit@debbugs.gnu.org; Sat, 27 Apr 2019 13:45:54 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:48127)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <7e9wc56emjakcm@s.rendaw.me>) id 1hKROZ-000261-Qa
 for submit@debbugs.gnu.org; Sat, 27 Apr 2019 13:45:52 -0400
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46])
 by mailout.nyi.internal (Postfix) with ESMTP id 5383821785
 for <submit@debbugs.gnu.org>; Sat, 27 Apr 2019 13:45:46 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute6.internal (MEProxy); Sat, 27 Apr 2019 13:45:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rendaw.me; h=to
 :from:subject:message-id:date:mime-version:content-type
 :content-transfer-encoding; s=fm3; bh=l+6vNfGpuC9OAvpy2iSupEQFJO
 z/OGFeO2+4JL47L+c=; b=mtZv+nUdPe8Nf3J7lhgA+XjdlZzZfmedouSxpfnN4v
 wiAwqaugS3aW2hdyzo5PVhH3nb7lbPaICpYBXdEyHkBOaimbMyHZBJMV+a7B9HW+
 HRwhuIz6RYbTAwA3w1xoncITEhKASGfd7M7LbXwrI87k7CrOxJQi0lCTdi6lyPcu
 E2RTVKuPkrpGNGODcv7GAULqMrwDRddGyozHWDLaOP3orD1UNx61nR0eDZdKLKxx
 SZTOzi3g9H+yuadxk5mOZGZWrGArliZSmOEEahgjg7S8VCwgylEtqWsn4ppbakhD
 pdR0Q9Z4u6k6S9WY3vEof0X+ulrebRp0+fb/FH2TRFvg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:content-type
 :date:from:message-id:mime-version:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=l+6vNf
 GpuC9OAvpy2iSupEQFJOz/OGFeO2+4JL47L+c=; b=z9rrNM8YBAguG+LPsn3jJP
 hnZVT1ywd+nECPAHpQHdvv9F4d3xFqrU1Rv1INw0rvlviAm95ACK1q1pDuSQws9J
 AMxpDvR7iF81647d+HT6qsYeaCfs9By4JS0vEJxiuiGzLfrmDluxebhfUyfuO8bg
 F3DsNQJVDiv5UmaU40Bw01qiH73cGbEI9GTowjaXMuk/9AikGS2+VAXyPn6i89Wf
 6NN5PJcrtoxcrv1VI14n+ggyHr5T8YfCl7wPHWe6flgdJdX6vdjMWqFXzA8r8xRP
 FwQk7NQA0ksAHEGvcw7bk9vEKKXWSTFrhrgYBqBGvGmq5Kuy1JIivsF86ioVvVvQ
 ==
X-ME-Sender: <xms:SZXEXPfW1WtWBGLtj8USohHAtMfgcON9OYJhlHQSJDaPS7W2P9HSnw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrheekgdduudekucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefvhffukffffgggtgfgsehtjeertd
 dtfeejnecuhfhrohhmpehrvghnuggrficuoeejvgelfigtheeivghmjhgrkhgtmhesshdr
 rhgvnhgurgifrdhmvgeqnecukfhppeduudekrddvgeefrddvfeeirdduieelnecurfgrrh
 grmhepmhgrihhlfhhrohhmpeejvgelfigtheeivghmjhgrkhgtmhesshdrrhgvnhgurgif
 rdhmvgenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:SZXEXJoV2K65ipsjCWw3W71Dt5u5jjU6DQHivLPamzAkl93ncMiK0w>
 <xmx:SZXEXFTGQ9FV_pr1io4moaG17JaL-vh868YYWgQcQAyeO__OkyLq6g>
 <xmx:SZXEXC69PjvXXPILdU7321uNcBQK7_AFzX6mlY2twqrRVSsxDI10VQ>
 <xmx:SpXEXMLAfK26EsLKlo-0fPLRXFChY-sv8MgKh6YSD5Lzo93oQpLYOg>
Received: from [192.168.1.35] (y236169.dynamic.ppp.asahi-net.or.jp
 [118.243.236.169])
 by mail.messagingengine.com (Postfix) with ESMTPA id 3C118E4173
 for <submit@debbugs.gnu.org>; Sat, 27 Apr 2019 13:45:45 -0400 (EDT)
To: submit@debbugs.gnu.org
From: rendaw <7e9wc56emjakcm@s.rendaw.me>
Subject: Self supplied SSH host keys
Message-ID: <e6456771-5f66-a032-a2e2-826295dd0a7a@s.rendaw.me>
Date: Sun, 28 Apr 2019 02:45:43 +0900
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.5.3
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Package: guix
Version: 0.16.0
Severity: wishlist

In a disk-image the ssh host keys are generated anew every time the
system boots.  This is a significant security issue - the unknown host
warnings will cause notification blindness and users won't recognize if
the host is legitimately compromised.

There's a workaround involving mounting the disk image (losetup -fP &
mount) after building it and adding the files that way, but it requires
a patch to the openssh service activation procedure to re-reset the file
permissions (they're set to 644 or something by an earlier statement).
I can submit my patch if there's interest.

This is a wishlist bug though since it requires a method to add files
with sensitive contents to the system, which I made another ticket for
(35459).