Bug 1023945

Summary: openssh does not create host key ssh_host_ecdsa_key
Product: [Fedora] Fedora Reporter: Sergio Pascual <sergio.pasra>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: aschorr, cristian.ciupitu, kenny, mattias.ellert, mgrepl, michal, plautrba, reklov, tmraz, tom
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssh-6.1p1-11.fc18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1046025 (view as bug list) Environment:
Last Closed: 2013-12-13 05:05:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1019222, 1046025    
Attachments:
Description Flags
do not use absent host keys for default HostKey value none

Description Sergio Pascual 2013-10-28 12:11:17 UTC
As of openssh-6.3p1-4.fc20.x86_64, we have EC activated and creating user keys works. But the host wide key /etc/ssh/ssh_host_ecdsa_key hasn't been created. 

I imagine that is enough to modify sshd-keygen.service to add this key

Comment 1 Petr Lautrbach 2013-10-29 09:56:28 UTC
You need to generate ecc keys manually, see do_ecdsa_keygen() in /usr/sbin/sshd-keygen, or to enable generating all keys in /etc/sysconfig/sshd:

# Configuration file for the sshd service.

# The server keys are automatically generated if they ommited
# to change the automatic creation uncomment the approprite
# line. The default is RSAONLY
#
# AUTOCREATE_SERVER_KEYS=RSAONLY
# AUTOCREATE_SERVER_KEYS=NO
# AUTOCREATE_SERVER_KEYS=YES

Comment 2 Sergio Pascual 2013-10-29 10:21:15 UTC
I disagree.

Not that I'm lazy and don't want to create the keys by myself.
But the change to enable EC in openssh was no made by me. It was pulled by a yum update. As a result I have hundreds of error in my logs like this:

 error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

This has to work out of the box. If sshd_config requires a key if has to be created. Not doing it puts an innecesary burden on the users.

Comment 3 Petr Lautrbach 2013-10-29 12:28:13 UTC
So this more about logging of unnecessary messages in the default configuration. By default, only RSA keys are created and no particular keys are set in sshd_config so that sshd tries use all 3 types - dsa,rsa, ecdsa - regardless of their existence.

Comment 4 Petr Lautrbach 2013-10-29 12:29:50 UTC
Created attachment 817072 [details]
do not use absent host keys for default HostKey value

This patch adds checks of host key existence if HostKey option is not set.

Comment 5 Fedora Update System 2013-11-18 13:31:08 UTC
openssh-6.2p2-6.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/openssh-6.2p2-6.fc19

Comment 6 Fedora Update System 2013-11-19 05:27:45 UTC
openssh-6.2p2-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Sergio Pascual 2013-11-21 15:59:26 UTC
I have openssh-6.3p1-5.fc20.x86_64 and the problem persists

Comment 8 Cristian Ciupitu 2013-11-26 11:53:37 UTC
(In reply to Sergio Pascual from comment #7)
> I have openssh-6.3p1-5.fc20.x86_64 and the problem persists

That's because it doesn't include the patch. See for yourself by running:

	rpm -q --changelog openssh

Comment 9 Andrew J. Schorr 2013-11-30 16:03:30 UTC
I just installed openssh-6.2p2-6.fc19.x86_64, and it looks like /etc/ssh/ssh_host_ecdsa_key is not created with the correct permissions:

bash-4.2$ ls -l /etc/ssh/*ecdsa*
-rw------- 1 root ssh_keys 227 Nov 30 10:53 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r-- 1 root root     162 Nov 30 10:53 /etc/ssh/ssh_host_ecdsa_key.pub

The ssh_host_ecdsa_key file should have group read enabled.  Without that, host-based authentication does not work properly, even if one is not using the ecdsa keys:

debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied

And the authentication fails.

Please fix the permissions.

Thanks,
Andy

Comment 10 Andrew J. Schorr 2013-11-30 16:58:00 UTC
bash-4.2$ grep chmod /usr/sbin/sshd-keygen
                        chmod 640 $RSA1_KEY
                        chmod 644 $RSA1_KEY.pub
                        chmod 640 $RSA_KEY
                        chmod 644 $RSA_KEY.pub
                        chmod 640 $DSA_KEY
                        chmod 644 $DSA_KEY.pub
                        chmod 600 $ECDSA_KEY
                        chmod 644 $ECDSA_KEY.pub

That should be "chmod 640 $ECDSA_KEY"

Comment 11 Andrew J. Schorr 2013-12-10 14:02:58 UTC
Do I need to open a new bug for this issue?  I guess so, but the bugzilla does not seem to allow the creation of new Fedora bugs for the past day or so, as per bug #1039381

Comment 12 Petr Lautrbach 2013-12-11 09:20:33 UTC
I'm about to build and push an update with fixed permissions, it's already in the dist git - http://pkgs.fedoraproject.org/cgit/openssh.git/commit/?h=f19&id=963137cbfb09a82a529faf53aa44bfd7e296da03

Comment 13 Petr Lautrbach 2013-12-11 09:31:22 UTC
As for "debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied", the plan is to uncomment "HostKey /etc/ssh/ssh_host_rsa_key" line in the default sshd_config in F19 so that users with default configuration won't see this message any more. Users with changes in the config will have to merge their changes with /etc/ssh/sshd_config.rpmnew as it's usual when a config file changes.

For F20 and later, there will be AUTOCREATE_SERVER_KEYS=NODSA and sshd_config with
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

Comment 14 Fedora Update System 2013-12-11 14:55:34 UTC
openssh-6.4p1-3.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/openssh-6.4p1-3.fc20

Comment 15 Fedora Update System 2013-12-11 14:58:07 UTC
openssh-6.2p2-7.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/openssh-6.2p2-7.fc19

Comment 16 Fedora Update System 2013-12-11 15:18:00 UTC
openssh-6.1p1-11.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/openssh-6.1p1-11.fc18

Comment 17 Fedora Update System 2013-12-11 16:44:18 UTC
Package openssh-6.4p1-3.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.4p1-3.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-23163/openssh-6.4p1-3.fc20
then log in and leave karma (feedback).

Comment 18 Fedora Update System 2013-12-13 05:05:28 UTC
openssh-6.2p2-7.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2013-12-16 07:05:21 UTC
openssh-6.4p1-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Tom Hughes 2013-12-16 18:26:47 UTC
This update still won't cause the ECDSA key to be created if the RSA and DSA keys exist, as the sshd-keygen.service unit only runs if either /etc/ssh/ssh_host_rsa_key or /etc/ssh/ssh_host_dsa_key is missing.

As the default is to only generate RSA and ECDSA the unit file should probably be changed from:

ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key

to:

ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key

Comment 21 Fedora Update System 2013-12-21 02:10:54 UTC
openssh-6.1p1-11.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Michal Jaegermann 2013-12-21 18:11:11 UTC
(In reply to Andrew J. Schorr from comment #10)
> 
> That should be "chmod 640 $ECDSA_KEY"

After the current update to openssh-6.1p1-11.fc18 there is indeed

			chmod 640 $ECDSA_KEY

in /usr/sbin/sshd-keygen and also

			chgrp ssh_keys $RSA1_KEY
			chgrp ssh_keys $RSA_KEY
			chgrp ssh_keys $DSA_KEY
			chgrp ssh_keys $ECDSA_KEY

but that does nothing to keys which happened to be installed earlier, automatically or otherwise, so one ends up in /etc/ssh/ with 'root root' ownership on all *key files with an exception of ssh_host_ecdsa_key, which has 'root ssh_keys', and '600' permissions on those.  That despite of 'use correct permissions on ecdsa host key' changelog entry.  If these are correct should not be suitable adjustments performed by a package %postinst script?

Comment 23 Michal Jaegermann 2013-12-21 23:48:09 UTC
As an extra attraction I just updated a laptop which so far did not have ssh_host_ecdsa_key and ssh_host_ecdsa_key.pub files.  All *_key* files ended up with system_u:object_r:sshd_key_t:s0 selinux labels with a notable exception of ssh_host_ecdsa_key.pub.  The last one was created with system_u:object_r:etc_t:s0 for a lablel.  Is that really intended?

Another barrel of fun was provided by a remote machine running Fedora 18 which after an update become inaccessible from a CentOS 6.5 client.  All attempts to connect were rejected with "no hostkey alg" error.  Curiously other updated servers did NOT exhibit that behaviour with the same client and luckily I had other means to get there.  Recreation of a server *_key* files eventually took care of that issue but I could not figure out why it showed up in the first place. (In case somebody else will bump into this: it is enough to 'service sshd restart' on a server after a removal of offending *_key* files.)

Comment 24 Petr Lautrbach 2013-12-23 09:12:51 UTC
(In reply to Michal Jaegermann from comment #22)
> but that does nothing to keys which happened to be installed earlier,
> automatically or otherwise, so one ends up in /etc/ssh/ with 'root root'
> ownership on all *key files with an exception of ssh_host_ecdsa_key, which
> has 'root ssh_keys', and '600' permissions on those.  That despite of 'use
> correct permissions on ecdsa host key' changelog entry.  If these are
> correct should not be suitable adjustments performed by a package %postinst
> script?

We don't touch existing keys or configuration files during updates, it could break setups - an administrator could change the permissions intentionally himself.