On Fri, May 10, 2019 at 07:21:24AM +0000, Andrei Morgan wrote: > On Wed, May 08, 2019 at 06:17:03PM -0400, Daniel Kahn Gillmor wrote: > > As a workaround, if you don't care about the existing RSA hostkey on > > your server, you can just re-generate it with: > > > > rm -f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub > > ssh-keygen -t rsa -N '' -f /etc/ssh/ssh_host_rsa_key > > Thanks for the advice. unfortunately, this does not work:
After discussion with someone else, I figured out how to fix this workaround: ssh-keygen -t rsa -N '' -f /etc/ssh/ssh_host_rsa_key -m PEM This provides me with: root@server:~# grep ^----- /etc/ssh/ssh_host_*_key /etc/ssh/ssh_host_ecdsa_key:-----BEGIN OPENSSH PRIVATE KEY----- /etc/ssh/ssh_host_ecdsa_key:-----END OPENSSH PRIVATE KEY----- /etc/ssh/ssh_host_ed25519_key:-----BEGIN OPENSSH PRIVATE KEY----- /etc/ssh/ssh_host_ed25519_key:-----END OPENSSH PRIVATE KEY----- /etc/ssh/ssh_host_rsa_key:-----BEGIN RSA PRIVATE KEY----- /etc/ssh/ssh_host_rsa_key:-----END RSA PRIVATE KEY----- root@server:~# And the `monkeysphere-host import-key` command also worked. root@server:~# monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://server.example.com ms: host key imported: pub rsa2048 2019-05-10 [CA] 2E66A858557528DDA4D8E1FCBB8427731FCCD81A uid [ unknown] ssh://server.example.com OpenPGP fingerprint: 2E66A858557528DDA4D8E1FCBB8427731FCCD81A ssh fingerprint: 2048 SHA256:qNes+pJ9gPZ+l6OS8ZJYc9xZhRdFV/10YaAslEwkXcU . (RSA) root@server:~# The only thing I don't know is whether this will have any future implications, but I guess that as servers being upgraded from stretch to buster will retain the old-style (i.e. PEM) format, there shouldn't be any big problems. Cheers, -- Andrei -- Andrei Morgan MRCPCH, MSc, PhD (Epidemiology / Neonatology) https://www.andreimorgan.net/info/contact
signature.asc
Description: PGP signature