Bug 1023945
Summary: | openssh does not create host key ssh_host_ecdsa_key | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Sergio Pascual <sergio.pasra> | ||||
Component: | openssh | Assignee: | Petr Lautrbach <plautrba> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 20 | CC: | aschorr, cristian.ciupitu, kenny, mattias.ellert, mgrepl, michal, plautrba, reklov, tmraz, tom | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | openssh-6.1p1-11.fc18 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1046025 (view as bug list) | Environment: | |||||
Last Closed: | 2013-12-13 05:05:28 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1019222, 1046025 | ||||||
Attachments: |
|
Description
Sergio Pascual
2013-10-28 12:11:17 UTC
You need to generate ecc keys manually, see do_ecdsa_keygen() in /usr/sbin/sshd-keygen, or to enable generating all keys in /etc/sysconfig/sshd: # Configuration file for the sshd service. # The server keys are automatically generated if they ommited # to change the automatic creation uncomment the approprite # line. The default is RSAONLY # # AUTOCREATE_SERVER_KEYS=RSAONLY # AUTOCREATE_SERVER_KEYS=NO # AUTOCREATE_SERVER_KEYS=YES I disagree. Not that I'm lazy and don't want to create the keys by myself. But the change to enable EC in openssh was no made by me. It was pulled by a yum update. As a result I have hundreds of error in my logs like this: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key This has to work out of the box. If sshd_config requires a key if has to be created. Not doing it puts an innecesary burden on the users. So this more about logging of unnecessary messages in the default configuration. By default, only RSA keys are created and no particular keys are set in sshd_config so that sshd tries use all 3 types - dsa,rsa, ecdsa - regardless of their existence. Created attachment 817072 [details]
do not use absent host keys for default HostKey value
This patch adds checks of host key existence if HostKey option is not set.
openssh-6.2p2-6.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/openssh-6.2p2-6.fc19 openssh-6.2p2-6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. I have openssh-6.3p1-5.fc20.x86_64 and the problem persists (In reply to Sergio Pascual from comment #7) > I have openssh-6.3p1-5.fc20.x86_64 and the problem persists That's because it doesn't include the patch. See for yourself by running: rpm -q --changelog openssh I just installed openssh-6.2p2-6.fc19.x86_64, and it looks like /etc/ssh/ssh_host_ecdsa_key is not created with the correct permissions: bash-4.2$ ls -l /etc/ssh/*ecdsa* -rw------- 1 root ssh_keys 227 Nov 30 10:53 /etc/ssh/ssh_host_ecdsa_key -rw-r--r-- 1 root root 162 Nov 30 10:53 /etc/ssh/ssh_host_ecdsa_key.pub The ssh_host_ecdsa_key file should have group read enabled. Without that, host-based authentication does not work properly, even if one is not using the ecdsa keys: debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied And the authentication fails. Please fix the permissions. Thanks, Andy bash-4.2$ grep chmod /usr/sbin/sshd-keygen chmod 640 $RSA1_KEY chmod 644 $RSA1_KEY.pub chmod 640 $RSA_KEY chmod 644 $RSA_KEY.pub chmod 640 $DSA_KEY chmod 644 $DSA_KEY.pub chmod 600 $ECDSA_KEY chmod 644 $ECDSA_KEY.pub That should be "chmod 640 $ECDSA_KEY" Do I need to open a new bug for this issue? I guess so, but the bugzilla does not seem to allow the creation of new Fedora bugs for the past day or so, as per bug #1039381 I'm about to build and push an update with fixed permissions, it's already in the dist git - http://pkgs.fedoraproject.org/cgit/openssh.git/commit/?h=f19&id=963137cbfb09a82a529faf53aa44bfd7e296da03 As for "debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied", the plan is to uncomment "HostKey /etc/ssh/ssh_host_rsa_key" line in the default sshd_config in F19 so that users with default configuration won't see this message any more. Users with changes in the config will have to merge their changes with /etc/ssh/sshd_config.rpmnew as it's usual when a config file changes. For F20 and later, there will be AUTOCREATE_SERVER_KEYS=NODSA and sshd_config with HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key openssh-6.4p1-3.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/openssh-6.4p1-3.fc20 openssh-6.2p2-7.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/openssh-6.2p2-7.fc19 openssh-6.1p1-11.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/openssh-6.1p1-11.fc18 Package openssh-6.4p1-3.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openssh-6.4p1-3.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-23163/openssh-6.4p1-3.fc20 then log in and leave karma (feedback). openssh-6.2p2-7.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. openssh-6.4p1-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This update still won't cause the ECDSA key to be created if the RSA and DSA keys exist, as the sshd-keygen.service unit only runs if either /etc/ssh/ssh_host_rsa_key or /etc/ssh/ssh_host_dsa_key is missing. As the default is to only generate RSA and ECDSA the unit file should probably be changed from: ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key to: ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key openssh-6.1p1-11.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. (In reply to Andrew J. Schorr from comment #10) > > That should be "chmod 640 $ECDSA_KEY" After the current update to openssh-6.1p1-11.fc18 there is indeed chmod 640 $ECDSA_KEY in /usr/sbin/sshd-keygen and also chgrp ssh_keys $RSA1_KEY chgrp ssh_keys $RSA_KEY chgrp ssh_keys $DSA_KEY chgrp ssh_keys $ECDSA_KEY but that does nothing to keys which happened to be installed earlier, automatically or otherwise, so one ends up in /etc/ssh/ with 'root root' ownership on all *key files with an exception of ssh_host_ecdsa_key, which has 'root ssh_keys', and '600' permissions on those. That despite of 'use correct permissions on ecdsa host key' changelog entry. If these are correct should not be suitable adjustments performed by a package %postinst script? As an extra attraction I just updated a laptop which so far did not have ssh_host_ecdsa_key and ssh_host_ecdsa_key.pub files. All *_key* files ended up with system_u:object_r:sshd_key_t:s0 selinux labels with a notable exception of ssh_host_ecdsa_key.pub. The last one was created with system_u:object_r:etc_t:s0 for a lablel. Is that really intended? Another barrel of fun was provided by a remote machine running Fedora 18 which after an update become inaccessible from a CentOS 6.5 client. All attempts to connect were rejected with "no hostkey alg" error. Curiously other updated servers did NOT exhibit that behaviour with the same client and luckily I had other means to get there. Recreation of a server *_key* files eventually took care of that issue but I could not figure out why it showed up in the first place. (In case somebody else will bump into this: it is enough to 'service sshd restart' on a server after a removal of offending *_key* files.) (In reply to Michal Jaegermann from comment #22) > but that does nothing to keys which happened to be installed earlier, > automatically or otherwise, so one ends up in /etc/ssh/ with 'root root' > ownership on all *key files with an exception of ssh_host_ecdsa_key, which > has 'root ssh_keys', and '600' permissions on those. That despite of 'use > correct permissions on ecdsa host key' changelog entry. If these are > correct should not be suitable adjustments performed by a package %postinst > script? We don't touch existing keys or configuration files during updates, it could break setups - an administrator could change the permissions intentionally himself. |