GNU bug report logs - #35460
Self supplied SSH host keys

Previous Next

Package: guix;

Reported by: rendaw <7e9wc56emjakcm <at> s.rendaw.me>

Date: Sat, 27 Apr 2019 17:46:01 UTC

Severity: wishlist

Found in version 0.16.0

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: rendaw <7e9wc56emjakcm <at> s.rendaw.me>
To: submit <at> debbugs.gnu.org
Subject: Self supplied SSH host keys
Date: Sun, 28 Apr 2019 02:45:43 +0900

Package: guix
Version: 0.16.0
Severity: wishlist

In a disk-image the ssh host keys are generated anew every time the
system boots.  This is a significant security issue - the unknown host
warnings will cause notification blindness and users won't recognize if
the host is legitimately compromised.

There's a workaround involving mounting the disk image (losetup -fP &
mount) after building it and adding the files that way, but it requires
a patch to the openssh service activation procedure to re-reset the file
permissions (they're set to 644 or something by an earlier statement).
I can submit my patch if there's interest.

This is a wishlist bug though since it requires a method to add files
with sensitive contents to the system, which I made another ticket for
(35459).
This bug report was last modified 6 years and 47 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.