Bug 1023945 - openssh does not create host key ssh_host_ecdsa_key
openssh does not create host key ssh_host_ecdsa_key
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
20
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Petr Lautrbach
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: 1019222 1046025
  Show dependency treegraph
 
Reported: 2013-10-28 08:11 EDT by Sergio Pascual
Modified: 2013-12-23 04:16 EST (History)
10 users (show)

See Also:
Fixed In Version: openssh-6.1p1-11.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1046025 (view as bug list)
Environment:
Last Closed: 2013-12-13 00:05:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
do not use absent host keys for default HostKey value (1.05 KB, patch)
2013-10-29 08:29 EDT, Petr Lautrbach
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenSSH Project 2166 None None None Never

  None (edit)
Description Sergio Pascual 2013-10-28 08:11:17 EDT
As of openssh-6.3p1-4.fc20.x86_64, we have EC activated and creating user keys works. But the host wide key /etc/ssh/ssh_host_ecdsa_key hasn't been created. 

I imagine that is enough to modify sshd-keygen.service to add this key
Comment 1 Petr Lautrbach 2013-10-29 05:56:28 EDT
You need to generate ecc keys manually, see do_ecdsa_keygen() in /usr/sbin/sshd-keygen, or to enable generating all keys in /etc/sysconfig/sshd:

# Configuration file for the sshd service.

# The server keys are automatically generated if they ommited
# to change the automatic creation uncomment the approprite
# line. The default is RSAONLY
#
# AUTOCREATE_SERVER_KEYS=RSAONLY
# AUTOCREATE_SERVER_KEYS=NO
# AUTOCREATE_SERVER_KEYS=YES
Comment 2 Sergio Pascual 2013-10-29 06:21:15 EDT
I disagree.

Not that I'm lazy and don't want to create the keys by myself.
But the change to enable EC in openssh was no made by me. It was pulled by a yum update. As a result I have hundreds of error in my logs like this:

 error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

This has to work out of the box. If sshd_config requires a key if has to be created. Not doing it puts an innecesary burden on the users.
Comment 3 Petr Lautrbach 2013-10-29 08:28:13 EDT
So this more about logging of unnecessary messages in the default configuration. By default, only RSA keys are created and no particular keys are set in sshd_config so that sshd tries use all 3 types - dsa,rsa, ecdsa - regardless of their existence.
Comment 4 Petr Lautrbach 2013-10-29 08:29:50 EDT
Created attachment 817072 [details]
do not use absent host keys for default HostKey value

This patch adds checks of host key existence if HostKey option is not set.
Comment 5 Fedora Update System 2013-11-18 08:31:08 EST
openssh-6.2p2-6.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/openssh-6.2p2-6.fc19
Comment 6 Fedora Update System 2013-11-19 00:27:45 EST
openssh-6.2p2-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Sergio Pascual 2013-11-21 10:59:26 EST
I have openssh-6.3p1-5.fc20.x86_64 and the problem persists
Comment 8 Cristian Ciupitu 2013-11-26 06:53:37 EST
(In reply to Sergio Pascual from comment #7)
> I have openssh-6.3p1-5.fc20.x86_64 and the problem persists

That's because it doesn't include the patch. See for yourself by running:

	rpm -q --changelog openssh
Comment 9 Andrew J. Schorr 2013-11-30 11:03:30 EST
I just installed openssh-6.2p2-6.fc19.x86_64, and it looks like /etc/ssh/ssh_host_ecdsa_key is not created with the correct permissions:

bash-4.2$ ls -l /etc/ssh/*ecdsa*
-rw------- 1 root ssh_keys 227 Nov 30 10:53 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r-- 1 root root     162 Nov 30 10:53 /etc/ssh/ssh_host_ecdsa_key.pub

The ssh_host_ecdsa_key file should have group read enabled.  Without that, host-based authentication does not work properly, even if one is not using the ecdsa keys:

debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied

And the authentication fails.

Please fix the permissions.

Thanks,
Andy
Comment 10 Andrew J. Schorr 2013-11-30 11:58:00 EST
bash-4.2$ grep chmod /usr/sbin/sshd-keygen
                        chmod 640 $RSA1_KEY
                        chmod 644 $RSA1_KEY.pub
                        chmod 640 $RSA_KEY
                        chmod 644 $RSA_KEY.pub
                        chmod 640 $DSA_KEY
                        chmod 644 $DSA_KEY.pub
                        chmod 600 $ECDSA_KEY
                        chmod 644 $ECDSA_KEY.pub

That should be "chmod 640 $ECDSA_KEY"
Comment 11 Andrew J. Schorr 2013-12-10 09:02:58 EST
Do I need to open a new bug for this issue?  I guess so, but the bugzilla does not seem to allow the creation of new Fedora bugs for the past day or so, as per bug #1039381
Comment 12 Petr Lautrbach 2013-12-11 04:20:33 EST
I'm about to build and push an update with fixed permissions, it's already in the dist git - http://pkgs.fedoraproject.org/cgit/openssh.git/commit/?h=f19&id=963137cbfb09a82a529faf53aa44bfd7e296da03
Comment 13 Petr Lautrbach 2013-12-11 04:31:22 EST
As for "debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied", the plan is to uncomment "HostKey /etc/ssh/ssh_host_rsa_key" line in the default sshd_config in F19 so that users with default configuration won't see this message any more. Users with changes in the config will have to merge their changes with /etc/ssh/sshd_config.rpmnew as it's usual when a config file changes.

For F20 and later, there will be AUTOCREATE_SERVER_KEYS=NODSA and sshd_config with
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
Comment 14 Fedora Update System 2013-12-11 09:55:34 EST
openssh-6.4p1-3.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/openssh-6.4p1-3.fc20
Comment 15 Fedora Update System 2013-12-11 09:58:07 EST
openssh-6.2p2-7.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/openssh-6.2p2-7.fc19
Comment 16 Fedora Update System 2013-12-11 10:18:00 EST
openssh-6.1p1-11.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/openssh-6.1p1-11.fc18
Comment 17 Fedora Update System 2013-12-11 11:44:18 EST
Package openssh-6.4p1-3.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.4p1-3.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-23163/openssh-6.4p1-3.fc20
then log in and leave karma (feedback).
Comment 18 Fedora Update System 2013-12-13 00:05:28 EST
openssh-6.2p2-7.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2013-12-16 02:05:21 EST
openssh-6.4p1-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Tom Hughes 2013-12-16 13:26:47 EST
This update still won't cause the ECDSA key to be created if the RSA and DSA keys exist, as the sshd-keygen.service unit only runs if either /etc/ssh/ssh_host_rsa_key or /etc/ssh/ssh_host_dsa_key is missing.

As the default is to only generate RSA and ECDSA the unit file should probably be changed from:

ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key

to:

ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
Comment 21 Fedora Update System 2013-12-20 21:10:54 EST
openssh-6.1p1-11.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Michal Jaegermann 2013-12-21 13:11:11 EST
(In reply to Andrew J. Schorr from comment #10)
> 
> That should be "chmod 640 $ECDSA_KEY"

After the current update to openssh-6.1p1-11.fc18 there is indeed

			chmod 640 $ECDSA_KEY

in /usr/sbin/sshd-keygen and also

			chgrp ssh_keys $RSA1_KEY
			chgrp ssh_keys $RSA_KEY
			chgrp ssh_keys $DSA_KEY
			chgrp ssh_keys $ECDSA_KEY

but that does nothing to keys which happened to be installed earlier, automatically or otherwise, so one ends up in /etc/ssh/ with 'root root' ownership on all *key files with an exception of ssh_host_ecdsa_key, which has 'root ssh_keys', and '600' permissions on those.  That despite of 'use correct permissions on ecdsa host key' changelog entry.  If these are correct should not be suitable adjustments performed by a package %postinst script?
Comment 23 Michal Jaegermann 2013-12-21 18:48:09 EST
As an extra attraction I just updated a laptop which so far did not have ssh_host_ecdsa_key and ssh_host_ecdsa_key.pub files.  All *_key* files ended up with system_u:object_r:sshd_key_t:s0 selinux labels with a notable exception of ssh_host_ecdsa_key.pub.  The last one was created with system_u:object_r:etc_t:s0 for a lablel.  Is that really intended?

Another barrel of fun was provided by a remote machine running Fedora 18 which after an update become inaccessible from a CentOS 6.5 client.  All attempts to connect were rejected with "no hostkey alg" error.  Curiously other updated servers did NOT exhibit that behaviour with the same client and luckily I had other means to get there.  Recreation of a server *_key* files eventually took care of that issue but I could not figure out why it showed up in the first place. (In case somebody else will bump into this: it is enough to 'service sshd restart' on a server after a removal of offending *_key* files.)
Comment 24 Petr Lautrbach 2013-12-23 04:12:51 EST
(In reply to Michal Jaegermann from comment #22)
> but that does nothing to keys which happened to be installed earlier,
> automatically or otherwise, so one ends up in /etc/ssh/ with 'root root'
> ownership on all *key files with an exception of ssh_host_ecdsa_key, which
> has 'root ssh_keys', and '600' permissions on those.  That despite of 'use
> correct permissions on ecdsa host key' changelog entry.  If these are
> correct should not be suitable adjustments performed by a package %postinst
> script?

We don't touch existing keys or configuration files during updates, it could break setups - an administrator could change the permissions intentionally himself.

Note You need to log in before you can comment on or make changes to this bug.