On 07/04/2013 01:25:59 AM, Jérémy Bobbio wrote: > Hi Karl, > > Karl O. Pinc: > > When installing dropbear after creating a cryptroot setup > > dropbear creates new keys in /etc/initramfs-tools/etc/dropbear/ > > instead of using the keys in /etc/dropbear/. This can cause > > headaches when the ssh client compains of changed host keys. > > This can cause headaches… but it is also a security feature. > The initramfs must be stored unencrypted for the system to be able to > boot. Using the same key as the running system means that the > encrypted > root will not protect the SSH key anymore. > > It all depends on one's threat model, but I think that blindly > reducing > the security of the system SSH key is not a good idea…
Fair enough. A couple of thoughts come to mind. There should at least be a note of this made in section 8 of the README.Debian for cryptsetup. (I'll see about sending a patch.) In my ideal world there would be a debconf option which provides control over whether or not there's a different host key in the initramfs. Perhaps this should be recategorized as a wishlist item. Regards, Karl <[email protected]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
