FS#46952 : [openssh] Add etc/ssh/moduli to backup=() array in PKGBUILD

FS#46952 - [openssh] Add etc/ssh/moduli to backup=() array in PKGBUILD

Attached to Project: Arch Linux
Opened by Bastien Traverse (Neitsab) - Monday, 02 November 2015, 18:24 GMT
Last edited by Gaetan Bisson (vesath) - Monday, 02 November 2015, 19:55 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	Gaetan Bisson (vesath)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Bastien Traverse (Neitsab) (2015-11-02)
Private	No

Details

Currently /etc/ssh/moduli is overridden on upgrades because it doesn't appear in openssh PKGBUILD backup=() array [1].

However users may wish to use locally generated moduli for security reasons, as explained in [2][3]. It is even an officially recommended countermeasure against the LOGJAM attack ([4], bottom of the page). Automatic override defeats this countermeasure and may go unnoticed for a long time (a couple of months in my case).

Adding 'etc/ssh/moduli' to openssh PKGBUILD backup=() array will make sure local modifications are preserved during upgrades, and users prompted when changes occur.

[1] https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/openssh#n33
[2] https://security.stackexchange.com/questions/41941/consequences-of-tampered-etc-ssh-moduli#41947
[3] https://security.stackexchange.com/questions/79043/is-it-considered-worth-it-to-replace-opensshs-moduli-file
[4] https://weakdh.org/sysadmin.html

Additional info:
* package version(s): 7.1p1-1

This task depends upon

Closed by Gaetan Bisson (vesath)
Monday, 02 November 2015, 19:55 GMT
Reason for closing: Duplicate
Additional comments about closing: ~~FS#45515~~
~~FS#45072~~

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#46952 - [openssh] Add etc/ssh/moduli to backup=() array in PKGBUILD

Details

Loading...