sshd.service contains: ExecStartPre=/usr/bin/ssh-keygen -A ssh-keygen -A fails on a default stage3 with: ssh-keygen: generating new host keys: ECDSA unknown key type (null) As a result, the service will not start. This is related to bug 390937. I'm not sure if there is a pretty solution for this since we ship this as part of the stage3. At the very least a more useful error message would be helpful.
Rich: Does it generate the RSA and DSA keys, or does it die immediately without generating anything? If the former, we could just make it nonfatal as a workaround.
Also, I don't think this problem is limited to systemd; the latest version of the openssh init script also calls ssh-keygen -A.
I guess the ideal solution would be to modify ssh-keygen to disable ECDSA when it is disabled in openssl.
This is already fixed in recent openssh versions. http://anoncvs.mindrot.org/index.cgi/openssh/ssh-keygen.c?revision=1.231&view=markup http://anoncvs.mindrot.org/index.cgi/openssh/ssh-keygen.c?r1=1.230&r2=1.231
Created attachment 364164 [details, diff] Disable ecdsa when openssl does not support it Can we apply this in openssh-5.9?
i don't see the point of fixing 5.9 if it's already fixed in 6.4
Any plans to stabilize it soon? Otherwise, stable net-misc/openssh[bindist] will fail to start with the current sshd.service file in systemd.
(In reply to Mike Gilbert from comment #7) there's already an open bug. even if there wasn't, any change added for 5.9 wouldn't go straight to stable which means you'd continue to see failures for a while.
I guess floppym's comment was focusing in how long that stabilization of newer version would take because it seems to be a bit stalled and, then, maybe a revision for 5.9 could be done faster But, if that is no longer the case, no problem of course :)
Nah, I just forgot to search for an open stablereq bug. My intent was actually to apply the patch without a revbump since it is very limited in scope and affects only a limited number of users; it would get picked up in the next stage build anyway. I'm fine with waiting for the new version to be stabilized.