On Sun, Jan 26, 2025 at 08:20:56PM +0200, Martin-Éric Racine wrote: > su 26.1.2025 klo 20.09 Colin Watson (cjwat...@debian.org) kirjoitti: > > That's about DH moduli rather than host key sizes, right? That feels > > somewhat different, because we just ship upstream's moduli file as a > > conffile, so providing any debconf-style control over that would be very > > difficult to do in a policy-compliant way. (I'm also not sure what the > > compatibility implications are of dropping the smaller primes; I assume > > there must be some or upstream would probably have done it already ...) > > openssh-server: /etc/ssh/moduli > > In principle, this is in the /etc hierarchy, so it should be possible > to treat it like a config and explicitly skip overwriting it with a > debconf question, if we have modified the file such as by removing low > primes.
Not without migrating it away from being a dpkg-managed conffile, which introduces a considerable amount of maintainer script complexity. debconf questions (or any other kind of maintainer-script-driven changes to configuration files) cannot coexist gracefully with dpkg management of conffiles. They only work with non-dpkg-managed configuration files. > > > For what it's worth, I fully agree with Colin that some of Joe Testa's > > > recommended hardening measures lack proper justification. Damien > > > Miller noticed the same thing, when I recently asked him to comment on > > > the recommendations. > > > > Are those comments somewhere public so that I can look at them? > > No, I just directly e-mailed Damien asking him whether he agreed with > the recommendations 'ssh-audit' makes. He wasn't aware of the > existence of the tool or the hardening guide. His initial impression > was that some recommendations are perplexing. For instance, he doesn't > understand Joe's recommendation against ECDH kex being justified by > "heavy suspicion in the community that it is backdoored by a 3-letter > agency." Yeah, at this point I'm not inclined to treat ssh-audit as having any special authority. It's mostly just one person's recommendations, which may or may not be good on their own individual merits - but I don't intend to accept it as a target to work towards in general. -- Colin Watson (he/him) [cjwat...@debian.org]
