Bug 1111568

Summary: AUTOCREATE_SERVER_KEYS=RSAONLY is not supported by init script
Product: Red Hat Enterprise Linux 6 Reporter: Patrik Kis <pkis>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: high Docs Contact:
Priority: medium    
Version: 6.5CC: pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssh-5.3p1-98.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 07:40:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Kis 2014-06-20 11:45:35 UTC 
Description of problem:
openssh configuration file /etc/sysconfig/sshd says that it supports the f

# AUTOCREATE_SERVER_KEYS=RSAONLY
# AUTOCREATE_SERVER_KEYS=NO
AUTOCREATE_SERVER_KEYS=YES

But the init script /etc/init.d/sshd seems supports only YES and NO options, e.g. create all or none.

Please note that this may cause troubles in FIPS, where DSA should be disallowed.

Version-Release number of selected component (if applicable):
openssh-5.3p1-94.el6

How reproducible:
always

Steps to Reproduce:
# rm -f /etc/ssh/*key
# grep ^AUTOCREATE_SERVER_KEYS /etc/sysconfig/sshd
AUTOCREATE_SERVER_KEYS=YES
# service sshd restart
Stopping sshd:                                             [  OK  ]
Generating SSH1 RSA host key:                              [  OK  ]
Generating SSH2 RSA host key:                              [  OK  ]
Generating SSH2 DSA host key:                              [  OK  ]
Starting sshd:                                             [  OK  ]
# ll /etc/ssh/*key
-rw-------. 1 root root  668 Jun 20 13:42 /etc/ssh/ssh_host_dsa_key
-rw-------. 1 root root  963 Jun 20 13:42 /etc/ssh/ssh_host_key
-rw-------. 1 root root 1675 Jun 20 13:42 /etc/ssh/ssh_host_rsa_key
#
#
#
# rm -f /etc/ssh/*key
# vim /etc/sysconfig/sshd 
# grep ^AUTOCREATE_SERVER_KEYS /etc/sysconfig/sshd
AUTOCREATE_SERVER_KEYS=RSAONLY
# service sshd restart
Stopping sshd:                                             [  OK  ]
Generating SSH1 RSA host key:                              [  OK  ]
Generating SSH2 RSA host key:                              [  OK  ]
Generating SSH2 DSA host key:                              [  OK  ]
Starting sshd:                                             [  OK  ]
# ll /etc/ssh/*key
-rw-------. 1 root root  668 Jun 20 13:42 /etc/ssh/ssh_host_dsa_key
-rw-------. 1 root root  963 Jun 20 13:42 /etc/ssh/ssh_host_key
-rw-------. 1 root root 1675 Jun 20 13:42 /etc/ssh/ssh_host_rsa_key
Comment 1 Petr Lautrbach 2014-06-20 11:47:57 UTC 
A fix is quite simple and can be simply added to the update.
Comment 4 errata-xmlrpc 2014-10-14 07:40:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-1552.html