Red Hat Bugzilla – Bug 1023945
openssh does not create host key ssh_host_ecdsa_key
Last modified: 2013-12-23 04:16:26 EST
As of openssh-6.3p1-4.fc20.x86_64, we have EC activated and creating user keys works. But the host wide key /etc/ssh/ssh_host_ecdsa_key hasn't been created.
I imagine that is enough to modify sshd-keygen.service to add this key
You need to generate ecc keys manually, see do_ecdsa_keygen() in /usr/sbin/sshd-keygen, or to enable generating all keys in /etc/sysconfig/sshd:
# Configuration file for the sshd service.
# The server keys are automatically generated if they ommited
# to change the automatic creation uncomment the approprite
# line. The default is RSAONLY
Not that I'm lazy and don't want to create the keys by myself.
But the change to enable EC in openssh was no made by me. It was pulled by a yum update. As a result I have hundreds of error in my logs like this:
error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
This has to work out of the box. If sshd_config requires a key if has to be created. Not doing it puts an innecesary burden on the users.
So this more about logging of unnecessary messages in the default configuration. By default, only RSA keys are created and no particular keys are set in sshd_config so that sshd tries use all 3 types - dsa,rsa, ecdsa - regardless of their existence.
Created attachment 817072 [details]
do not use absent host keys for default HostKey value
This patch adds checks of host key existence if HostKey option is not set.
openssh-6.2p2-6.fc19 has been submitted as an update for Fedora 19.
openssh-6.2p2-6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
I have openssh-6.3p1-5.fc20.x86_64 and the problem persists
(In reply to Sergio Pascual from comment #7)
> I have openssh-6.3p1-5.fc20.x86_64 and the problem persists
That's because it doesn't include the patch. See for yourself by running:
rpm -q --changelog openssh
I just installed openssh-6.2p2-6.fc19.x86_64, and it looks like /etc/ssh/ssh_host_ecdsa_key is not created with the correct permissions:
bash-4.2$ ls -l /etc/ssh/*ecdsa*
-rw------- 1 root ssh_keys 227 Nov 30 10:53 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r-- 1 root root 162 Nov 30 10:53 /etc/ssh/ssh_host_ecdsa_key.pub
The ssh_host_ecdsa_key file should have group read enabled. Without that, host-based authentication does not work properly, even if one is not using the ecdsa keys:
debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied
And the authentication fails.
Please fix the permissions.
bash-4.2$ grep chmod /usr/sbin/sshd-keygen
chmod 640 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
chmod 640 $RSA_KEY
chmod 644 $RSA_KEY.pub
chmod 640 $DSA_KEY
chmod 644 $DSA_KEY.pub
chmod 600 $ECDSA_KEY
chmod 644 $ECDSA_KEY.pub
That should be "chmod 640 $ECDSA_KEY"
Do I need to open a new bug for this issue? I guess so, but the bugzilla does not seem to allow the creation of new Fedora bugs for the past day or so, as per bug #1039381
I'm about to build and push an update with fixed permissions, it's already in the dist git - http://pkgs.fedoraproject.org/cgit/openssh.git/commit/?h=f19&id=963137cbfb09a82a529faf53aa44bfd7e296da03
As for "debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied", the plan is to uncomment "HostKey /etc/ssh/ssh_host_rsa_key" line in the default sshd_config in F19 so that users with default configuration won't see this message any more. Users with changes in the config will have to merge their changes with /etc/ssh/sshd_config.rpmnew as it's usual when a config file changes.
For F20 and later, there will be AUTOCREATE_SERVER_KEYS=NODSA and sshd_config with
openssh-6.4p1-3.fc20 has been submitted as an update for Fedora 20.
openssh-6.2p2-7.fc19 has been submitted as an update for Fedora 19.
openssh-6.1p1-11.fc18 has been submitted as an update for Fedora 18.
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.4p1-3.fc20'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
openssh-6.2p2-7.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
openssh-6.4p1-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This update still won't cause the ECDSA key to be created if the RSA and DSA keys exist, as the sshd-keygen.service unit only runs if either /etc/ssh/ssh_host_rsa_key or /etc/ssh/ssh_host_dsa_key is missing.
As the default is to only generate RSA and ECDSA the unit file should probably be changed from:
openssh-6.1p1-11.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Andrew J. Schorr from comment #10)
> That should be "chmod 640 $ECDSA_KEY"
After the current update to openssh-6.1p1-11.fc18 there is indeed
chmod 640 $ECDSA_KEY
in /usr/sbin/sshd-keygen and also
chgrp ssh_keys $RSA1_KEY
chgrp ssh_keys $RSA_KEY
chgrp ssh_keys $DSA_KEY
chgrp ssh_keys $ECDSA_KEY
but that does nothing to keys which happened to be installed earlier, automatically or otherwise, so one ends up in /etc/ssh/ with 'root root' ownership on all *key files with an exception of ssh_host_ecdsa_key, which has 'root ssh_keys', and '600' permissions on those. That despite of 'use correct permissions on ecdsa host key' changelog entry. If these are correct should not be suitable adjustments performed by a package %postinst script?
As an extra attraction I just updated a laptop which so far did not have ssh_host_ecdsa_key and ssh_host_ecdsa_key.pub files. All *_key* files ended up with system_u:object_r:sshd_key_t:s0 selinux labels with a notable exception of ssh_host_ecdsa_key.pub. The last one was created with system_u:object_r:etc_t:s0 for a lablel. Is that really intended?
Another barrel of fun was provided by a remote machine running Fedora 18 which after an update become inaccessible from a CentOS 6.5 client. All attempts to connect were rejected with "no hostkey alg" error. Curiously other updated servers did NOT exhibit that behaviour with the same client and luckily I had other means to get there. Recreation of a server *_key* files eventually took care of that issue but I could not figure out why it showed up in the first place. (In case somebody else will bump into this: it is enough to 'service sshd restart' on a server after a removal of offending *_key* files.)
(In reply to Michal Jaegermann from comment #22)
> but that does nothing to keys which happened to be installed earlier,
> automatically or otherwise, so one ends up in /etc/ssh/ with 'root root'
> ownership on all *key files with an exception of ssh_host_ecdsa_key, which
> has 'root ssh_keys', and '600' permissions on those. That despite of 'use
> correct permissions on ecdsa host key' changelog entry. If these are
> correct should not be suitable adjustments performed by a package %postinst
We don't touch existing keys or configuration files during updates, it could break setups - an administrator could change the permissions intentionally himself.