Page MenuHomeVyOS Platform
Create Task
Maniphest T6275

SSH-keys from home-directory are not included during an update
Open, NormalPublicBUG
Actions

Description

Turns out that SSH-keys (public keys from approved servers) in the home-directories are not included when VyOS is updated according to forum post over at:

https://forum.vyos.io/t/question-about-saving-ssh-keys/14339

A workaround would be to place the keys in /config/backupssh or such, make sure to give proper permissions to that directory and the files.

Then in /config/scripts/vyos-postconfig-bootup.script add commands to create a symlink from the current home directory to the physical files found in /config/backupssh.

This way next time the system is updated the keys will follow to the updated version and the vyos-postconfig-bootup.script will make sure the SSH-keys will get symlinked from the home directory.

User didnt return with from which to which version of VyOS this occurs but states that:

It’s been a forever problem. I’ve been running rolling releases for the past six months, and it’s always had the same behavior with regard to SSH keys when upgrading.

Details

Difficulty level
Unknown (require assessment)
Version
1.5-rolling-202404250020
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects
Search...

Event Timeline

Apachez created this task.Sun, Apr 28, 3:30 PM
pasik added a subscriber: pasik.Sun, Apr 28, 3:34 PM
syncer added a subscriber: syncer.Sun, Apr 28, 3:38 PM

we talking about athorized_keys or known_hosts?

kmadaras added a subscriber: kmadaras.Sun, Apr 28, 5:45 PM

This would be the key's themselves and known_hosts, stored in the non-root user folder. The prompt during upgrade seems to indicate it'll copy them over. However, whenever I upgrade, I have to manually perform ssh-keygen and ssh-copy-id again for my backup server to allow my config backup to work.

syncer added a subscriber: Viacheslav.Sun, Apr 28, 10:53 PM

@Viacheslav can you create root task maybe and we consolidate related tasks under it

Viacheslav added a comment.Mon, Apr 29, 6:12 AM

It is not a bug but a feature request.
Only keys in /etc/ssh are copied. The keys in the home user directory were never copied.

kmadaras added a comment.EditedMon, Apr 29, 6:17 AM

I disagree, being that there's a command and associated config entry to backup config to a remote ssh server. This config option requires key based authentication. It would seem that the backup function puts this in- scope as a bug. Everyone who uses the remote configuration backup to an external ssh box is affected.

Viacheslav added a parent task: T6279: The root task for copying SSH keys and files from the home directory to use between updates.Mon, Apr 29, 6:22 AM
Viacheslav added a comment.Mon, Apr 29, 6:29 AM

The bug means the feature is implemented but works with issues, but this functionality has never been implemented :)
I created a root task T6279, and several similar/related subtasks.

kmadaras added a comment.Mon, Apr 29, 6:38 AM

It seems like if there's an option to use remote backup in the config, yet the keys get erased every time it's upgraded that would be a bug. However , I am new to dev on VYOS, so classify it as makes sense for the team and I'll hope it get implemented at some point. 👍

dmbaturin triaged this task as Normal priority.Mon, Apr 29, 7:58 AM