[Bug 876910] Re: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated.
[Expired for openssh (Ubuntu) because there has been no activity for 60 days.] ** Changed in: openssh (Ubuntu) Status: Incomplete = Expired -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/876910 Title: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/876910/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 876910] Re: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated.
Hello Clint, No, upstart jobs are designed to be short and pointed ways to define how a daemon starts and stops. /etc/init.d is only for backward compatibility in an upstart system. The ssh init.d script was left the way it is because of chroot jails for sshd, but it is not necessary for normal operation. OOO! *Light Bulb*! this makes sense. Thanks for setting me straight. Yeah, thats probably better. What was I thinking? ;) Sometimes it's more fun to do things the hard way. :) Not sure why this isn't scalable... its not that heavy of a command and it should be idempotent. I can't automate it. If I Can't automate it, can't scale it well. The problem is, for every new VM, to enable SSH this requires the SysOp to: -- Log into the Host Machine, -- Determine the VNC port -- VNC to the the VM, -- Run the command. With enough volume, these four steps could make for a full time job. It's not the command itself, but the work surrounding the command. I do think its a bit odd that they are generated at install time rather than whenever they are missing, I'm glad, I thought I was having a derp moment. Also, checking for these files at startup adds fault tolerance, would you agree? but either way, its a well defined behavior and so can be worked with fairly easily by removing and regenerating the keys at first boot. An upstart job like this would probably work: start on starting ssh task exec [ -f /etc/ssh/ssh_host_dsa_key ] || ssh-keygen -t dsa -b 4096 -f /etc/ssh/ssh_host_dsa_key -q Is this supposed to be all on one line? Causes ssh to hang when calling: start ssh Also, is there a variable that tells Ubuntu if it is first boot? This could potentially solve the problem since the .qcow2 will overwrite this variable. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/876910 Title: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/876910/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 876910] Re: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated.
Excerpts from Jon's message of Tue Oct 18 19:10:18 UTC 2011: Hello Clint, No, upstart jobs are designed to be short and pointed ways to define how a daemon starts and stops. /etc/init.d is only for backward compatibility in an upstart system. The ssh init.d script was left the way it is because of chroot jails for sshd, but it is not necessary for normal operation. OOO! *Light Bulb*! this makes sense. Thanks for setting me straight. Yeah, thats probably better. What was I thinking? ;) Sometimes it's more fun to do things the hard way. :) Not sure why this isn't scalable... its not that heavy of a command and it should be idempotent. I can't automate it. If I Can't automate it, can't scale it well. The problem is, for every new VM, to enable SSH this requires the SysOp to: -- Log into the Host Machine, -- Determine the VNC port -- VNC to the the VM, -- Run the command. With enough volume, these four steps could make for a full time job. It's not the command itself, but the work surrounding the command. I think you mean you don't know how to auotmate it. :) Several ideas: * pre-boot, Mount each VM's filesystem, chroot into it and run dpkg-reconfigure openssh-server. * Use cloud-init's 'nocloud' feature to seed this reconfigure in on first boot. I do think its a bit odd that they are generated at install time rather than whenever they are missing, I'm glad, I thought I was having a derp moment. Also, checking for these files at startup adds fault tolerance, would you agree? I suppose that is one way to look at it. SSH is critical enough that I'd consider pushing for this behavior. Maybe there's a reason that the maintainers diverted from the standard behavior though. but either way, its a well defined behavior and so can be worked with fairly easily by removing and regenerating the keys at first boot. An upstart job like this would probably work: start on starting ssh task exec [ -f /etc/ssh/ssh_host_dsa_key ] || ssh-keygen -t dsa -b 4096 -f /etc/ssh/ssh_host_dsa_key -q Is this supposed to be all on one line? Causes ssh to hang when calling: start ssh Maybe not, possibly try removing the exec and doing script ... end script Also, is there a variable that tells Ubuntu if it is first boot? This could potentially solve the problem since the .qcow2 will overwrite this variable. cloud-init is useful for doing things on first boot in a structured, repeatable way. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/876910 Title: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/876910/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 876910] Re: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated.
** Patch added: Added subroutine to check and create SSH Host keys if they are not present https://bugs.launchpad.net/bugs/876910/+attachment/269/+files/ssh_init_fix.patch ** Description changed: + System Information 1) lsb_release -rd Description:Ubuntu 11.10 Release:11.10 + SSH Version 2) apt-cache policy openssh-server openssh-server: - Installed: 1:5.8p1-7ubuntu1 - Candidate: 1:5.8p1-7ubuntu1 - Version table: - *** 1:5.8p1-7ubuntu1 0 - 500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages - 100 /var/lib/dpkg/status + Installed: 1:5.8p1-7ubuntu1 + Candidate: 1:5.8p1-7ubuntu1 + Version table: + *** 1:5.8p1-7ubuntu1 0 + 500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages + 100 /var/lib/dpkg/status - 3) SSH should automatically create host keys when it detest there are - host keys are not present in /etc/ssh + Expected Behavior: + 3) SSH should automatically create host keys when it detect the host keys are not present in /etc/ssh + Observed Behavior: 4) SSH did not generate host keys - 5) Created the attached patch to resolve the issue locally. Presented - as a solution to the problem. + Solution: + 5) Created the attached patch to resolve the issue locally. Presented as a solution to the problem. + -- Check for existence of /etc/ssh/*_host_* + -- create host keys unless exists ProblemType: Bug DistroRelease: Ubuntu 11.10 Package: openssh-server 1:5.8p1-7ubuntu1 ProcVersionSignature: Ubuntu 3.0.0-12.20-server 3.0.4 Uname: Linux 3.0.0-12-server x86_64 ApportVersion: 1.23-0ubuntu3 Architecture: amd64 Date: Mon Oct 17 16:12:28 2011 InstallationMedia: Ubuntu-Server 11.10 Oneiric Ocelot - Release amd64 (20111011) ProcEnviron: - LANG=en_US.UTF-8 - SHELL=/bin/bash + LANG=en_US.UTF-8 + SHELL=/bin/bash SourcePackage: openssh UpgradeStatus: No upgrade log present (probably fresh install) mtime.conffile..etc.init.d.ssh: 2011-10-17T15:57:55.578332 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/876910 Title: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/876910/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 876910] Re: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated.
Hi Jon, sshd is no longer started and/or stopped with /etc/init.d/ssh unless you are running inside a chroot. The host keys are typically generated in the postinstall script of openssh-server. You can find the copy that should be used for this at /var/lib/dpkg/info/openssh-server.postinst. So if you don't have keys, its likely that something went wrong during that process. Try this to remedy the situation. sudo apt-get install openssh-server --reinstall Marking Incomplete pending response. ** Changed in: openssh (Ubuntu) Status: New = Incomplete ** Changed in: openssh (Ubuntu) Importance: Undecided = High -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/876910 Title: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/876910/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 876910] Re: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated.
Hello Clint, sshd is no longer started and/or stopped with /etc/init.d/ssh unless you are running inside a chroot. I'm new to upstart, so forgive my ignorance, but I thought upstart still used the init scripts to start and/or stop the jobs. The host keys are typically generated in the postinstall script of openssh-server. I think this may be the issue. So if you don't have keys, its likely that something went wrong during that process. Well, I suppose this is true, but in this particular case, I intentionally remove them as a final step to prepare a base image for use with QEMU-KVM. It is a security concern to have multiple guest VMs all running with the same SSH key. Try this to remedy the situation. sudo apt-get install openssh-server --reinstall Two things, 1) Why not: dpkg-reconfigure openssh-server As this seems to be a more direct route? Again, maybe I'm not seeing all of the pieces. 2) In the Development environment both of these solutions will work, however, this is not scalable and is not a viable solution in a production environment. Thanks for your quick response. As is my experience with other non- upstart distros, SSH automatically creates these host keys if they don't exist, it is my strong personal belief that Ubuntu should not deviate from the norm for two reasons, first to remain consistent with 'Linux' (other distros) , and second so I can present a viable solution to my management using an Ubuntu platform. Please let me know if you think I'm way off here, I really do appreciate the assistance. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/876910 Title: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/876910/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 876910] Re: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated.
** Patch removed: Added subroutine to check and create SSH Host keys if they are not present https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/876910/+attachment/269/+files/ssh_init_fix.patch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/876910 Title: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/876910/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 876910] Re: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated.
After further testing, determined that my patch did not actually resolve the issue. Seems to be an issue with triggering the following sub: check_rsa_keys () { #Checks for the existance of RSA keys and generates them if necessary RSA1_KEY=/etc/ssh/ssh_host_key RSA_KEY=/etc/ssh/ssh_host_rsa_key DSA_KEY=/etc/ssh/ssh_host_dsa_key if [ ! -s $RSA_KEY ] || [! -s $RSA1_KEY] || [! -s $DSA_KEY]; then exec /usr/sbin/dpkg-reconfigure openssh-server fi } Initially, I had added the above if/then statement to my /etc/init.d/ssh script towards the beginning (starting at line 13 to be exact) before I created the subroutine and the patch. Pardon my blonde moment. That being said, -where- can we add a check for the existence of the host keys? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/876910 Title: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/876910/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 876910] Re: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated.
Excerpts from Jon's message of Mon Oct 17 23:27:30 UTC 2011: Hello Clint, sshd is no longer started and/or stopped with /etc/init.d/ssh unless you are running inside a chroot. I'm new to upstart, so forgive my ignorance, but I thought upstart still used the init scripts to start and/or stop the jobs. No, upstart jobs are designed to be short and pointed ways to define how a daemon starts and stops. /etc/init.d is only for backward compatibility in an upstart system. The ssh init.d script was left the way it is because of chroot jails for sshd, but it is not necessary for normal operation. The host keys are typically generated in the postinstall script of openssh-server. I think this may be the issue. So if you don't have keys, its likely that something went wrong during that process. Well, I suppose this is true, but in this particular case, I intentionally remove them as a final step to prepare a base image for use with QEMU-KVM. It is a security concern to have multiple guest VMs all running with the same SSH key. Try this to remedy the situation. sudo apt-get install openssh-server --reinstall Two things, 1) Why not: dpkg-reconfigure openssh-server As this seems to be a more direct route? Again, maybe I'm not seeing all of the pieces. Yeah, thats probably better. What was I thinking? ;) 2) In the Development environment both of these solutions will work, however, this is not scalable and is not a viable solution in a production environment. Not sure why this isn't scalable... its not that heavy of a command and it should be idempotent. Thanks for your quick response. As is my experience with other non- upstart distros, SSH automatically creates these host keys if they don't exist, it is my strong personal belief that Ubuntu should not deviate from the norm for two reasons, first to remain consistent with 'Linux' (other distros) , and second so I can present a viable solution to my management using an Ubuntu platform. Please let me know if you think I'm way off here, I really do appreciate the assistance. I do think its a bit odd that they are generated at install time rather than whenever they are missing, but either way, its a well defined behavior and so can be worked with fairly easily by removing and regenerating the keys at first boot. An upstart job like this would probably work: start on starting ssh task exec [ -f /etc/ssh/ssh_host_dsa_key ] || ssh-keygen -t dsa -b 4096 -f /etc/ssh/ssh_host_dsa_key -q -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/876910 Title: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/876910/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs