GNU bug report logs - #35460
Self supplied SSH host keys

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Severity: wishlist; Reported by: rendaw <7e9wc56emjakcm@HIDDEN>; dated Sat, 27 Apr 2019 17:46:01 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 27 Apr 2019 17:45:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 27 13:45:54 2019
Received: from localhost ([127.0.0.1]:35965 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hKROc-0002DS-0t
	for submit <at> debbugs.gnu.org; Sat, 27 Apr 2019 13:45:54 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:48127)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <7e9wc56emjakcm@HIDDEN>) id 1hKROZ-000261-Qa
 for submit <at> debbugs.gnu.org; Sat, 27 Apr 2019 13:45:52 -0400
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46])
 by mailout.nyi.internal (Postfix) with ESMTP id 5383821785
 for <submit <at> debbugs.gnu.org>; Sat, 27 Apr 2019 13:45:46 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute6.internal (MEProxy); Sat, 27 Apr 2019 13:45:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rendaw.me; h=to
 :from:subject:message-id:date:mime-version:content-type
 :content-transfer-encoding; s=fm3; bh=l+6vNfGpuC9OAvpy2iSupEQFJO
 z/OGFeO2+4JL47L+c=; b=mtZv+nUdPe8Nf3J7lhgA+XjdlZzZfmedouSxpfnN4v
 wiAwqaugS3aW2hdyzo5PVhH3nb7lbPaICpYBXdEyHkBOaimbMyHZBJMV+a7B9HW+
 HRwhuIz6RYbTAwA3w1xoncITEhKASGfd7M7LbXwrI87k7CrOxJQi0lCTdi6lyPcu
 E2RTVKuPkrpGNGODcv7GAULqMrwDRddGyozHWDLaOP3orD1UNx61nR0eDZdKLKxx
 SZTOzi3g9H+yuadxk5mOZGZWrGArliZSmOEEahgjg7S8VCwgylEtqWsn4ppbakhD
 pdR0Q9Z4u6k6S9WY3vEof0X+ulrebRp0+fb/FH2TRFvg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:content-type
 :date:from:message-id:mime-version:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=l+6vNf
 GpuC9OAvpy2iSupEQFJOz/OGFeO2+4JL47L+c=; b=z9rrNM8YBAguG+LPsn3jJP
 hnZVT1ywd+nECPAHpQHdvv9F4d3xFqrU1Rv1INw0rvlviAm95ACK1q1pDuSQws9J
 AMxpDvR7iF81647d+HT6qsYeaCfs9By4JS0vEJxiuiGzLfrmDluxebhfUyfuO8bg
 F3DsNQJVDiv5UmaU40Bw01qiH73cGbEI9GTowjaXMuk/9AikGS2+VAXyPn6i89Wf
 6NN5PJcrtoxcrv1VI14n+ggyHr5T8YfCl7wPHWe6flgdJdX6vdjMWqFXzA8r8xRP
 FwQk7NQA0ksAHEGvcw7bk9vEKKXWSTFrhrgYBqBGvGmq5Kuy1JIivsF86ioVvVvQ
 ==
X-ME-Sender: <xms:SZXEXPfW1WtWBGLtj8USohHAtMfgcON9OYJhlHQSJDaPS7W2P9HSnw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrheekgdduudekucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefvhffukffffgggtgfgsehtjeertd
 dtfeejnecuhfhrohhmpehrvghnuggrficuoeejvgelfigtheeivghmjhgrkhgtmhesshdr
 rhgvnhgurgifrdhmvgeqnecukfhppeduudekrddvgeefrddvfeeirdduieelnecurfgrrh
 grmhepmhgrihhlfhhrohhmpeejvgelfigtheeivghmjhgrkhgtmhesshdrrhgvnhgurgif
 rdhmvgenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:SZXEXJoV2K65ipsjCWw3W71Dt5u5jjU6DQHivLPamzAkl93ncMiK0w>
 <xmx:SZXEXFTGQ9FV_pr1io4moaG17JaL-vh868YYWgQcQAyeO__OkyLq6g>
 <xmx:SZXEXC69PjvXXPILdU7321uNcBQK7_AFzX6mlY2twqrRVSsxDI10VQ>
 <xmx:SpXEXMLAfK26EsLKlo-0fPLRXFChY-sv8MgKh6YSD5Lzo93oQpLYOg>
Received: from [192.168.1.35] (y236169.dynamic.ppp.asahi-net.or.jp
 [118.243.236.169])
 by mail.messagingengine.com (Postfix) with ESMTPA id 3C118E4173
 for <submit <at> debbugs.gnu.org>; Sat, 27 Apr 2019 13:45:45 -0400 (EDT)
To: submit <at> debbugs.gnu.org
From: rendaw <7e9wc56emjakcm@HIDDEN>
Subject: Self supplied SSH host keys
Message-ID: <e6456771-5f66-a032-a2e2-826295dd0a7a@HIDDEN>
Date: Sun, 28 Apr 2019 02:45:43 +0900
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.5.3
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Package: guix
Version: 0.16.0
Severity: wishlist

In a disk-image the ssh host keys are generated anew every time the
system boots.  This is a significant security issue - the unknown host
warnings will cause notification blindness and users won't recognize if
the host is legitimately compromised.

There's a workaround involving mounting the disk image (losetup -fP &
mount) after building it and adding the files that way, but it requires
a patch to the openssh service activation procedure to re-reset the file
permissions (they're set to 644 or something by an earlier statement).
I can submit my patch if there's interest.

This is a wishlist bug though since it requires a method to add files
with sensitive contents to the system, which I made another ticket for
(35459).




Acknowledgement sent to rendaw <7e9wc56emjakcm@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#35460; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 25 Nov 2019 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.