Page MenuHomeVyOS Platform

error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Closed, ResolvedPublic

Description

After upgrading from VyOS 1.1.7 to 999.201609070235 (nightly build from the current/lithium branch) via 'add system image', the logs collect lots of messages about the missing ED25519 host key. That's likely because I chose to retain my old hosts keys from the 1.1.7 image, which I suppose didn't have such a key. Indeed, I don't have that key:

$ ls /etc/ssh
moduli       ssh_host_dsa_key      ssh_host_ecdsa_key.pub  ssh_host_rsa_key
ssh_config   ssh_host_dsa_key.pub  ssh_host_key            ssh_host_rsa_key.pub
sshd_config  ssh_host_ecdsa_key    ssh_host_key.pub

And /etc/ssh/sshd_config does refer to it:

$ grep HostKey /etc/ssh/sshd_config
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key

Perhaps the upgrade script should generate any missing host keys by issuing:

ssh-keygen -A

even when the user chose to copy over the old host keys. This might have side-effects, of course: clients that support the new host key types might see a new host key, which was what copying the old host keys was intended to avoid. But I had no warnings or other difficulty connecting from a client running OpenSSH_6.6.1p1 after creating the missing ED25519 key.

Details

Difficulty level
Easy (less than an hour)

Event Timeline

Ooh. I see that the script that copies over the ssh keys is vyatta-cfg-system/scripts/install/install-image-existing, but it's run on the old system--the one you're upgrading from. So putting the fix in there would require upgrading the old OS first.

Ssh's startup script by default only creates new host keys when there are none at all, I suspect. So it's not obvious where the least intrusive place to add 'ssh-keygen -A' on system startup would be.

Most likely postinst, but I can't find that file in the git repos.

syncer triaged this task as High priority.
syncer added subscribers: VyOS 1.1.x, VyOS 2.0.x.