On my router running OpenWRT 12.09 stable, both /etc/dropbear/dropbear_dss_host_key and /etc/dropbear/dropbear_rsa_host_key have timestamps of Sep 8 2011. That suggests to me these private keys are not generated upon a device install, or with first run of Dropbear, and are presumably shared by thousands of OpenWRT installs. Isn't this a major security issue?
EDIT: I should add, I know how to regenerate fresh keys (using dropbearkey), but a lot of people won't think to do that. From what I understand, most big distros generate these keys during install.
(Last edited by gorbachev on 15 Apr 2014, 17:26)