488814 – net-misc/openssh with dev-libs/openssl[bindist] on systemd - Does not start due to "ssh-keygen: generating new host keys: ECDSA unknown key type (null)"

Bug 488814 - net-misc/openssh with dev-libs/openssl[bindist] on systemd - Does not start due to "ssh-keygen: generating new host keys: ECDSA unknown key type (null)"

Summary: net-misc/openssh with dev-libs/openssl[bindist] on systemd - Does not start d...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:	477894
Blocks:
	Show dependency tree

Reported:	2013-10-20 23:09 UTC by Richard Freeman
Modified:	2013-12-09 09:35 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Disable ecdsa when openssl does not support it (openssh-5.9_p1-ssh-keygen-ecdsa.patch,308 bytes, patch) 2013-11-28 21:37 UTC, Mike Gilbert	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Richard Freeman gentoo-dev

2013-10-20 23:09:38 UTC

sshd.service contains:
ExecStartPre=/usr/bin/ssh-keygen -A

ssh-keygen -A fails on a default stage3 with:
ssh-keygen: generating new host keys: ECDSA unknown key type (null)

As a result, the service will not start.

This is related to bug 390937.

I'm not sure if there is a pretty solution for this since we ship this as part of the stage3.  At the very least a more useful error message would be helpful.

Comment 1 Mike Gilbert gentoo-dev

2013-11-28 21:00:45 UTC

Rich: Does it generate the RSA and DSA keys, or does it die immediately without generating anything?

If the former, we could just make it nonfatal as a workaround.

Comment 2 Mike Gilbert gentoo-dev

2013-11-28 21:03:04 UTC

Also, I don't think this problem is limited to systemd; the latest version of the openssh init script also calls ssh-keygen -A.

Comment 3 Mike Gilbert gentoo-dev

2013-11-28 21:11:39 UTC

I guess the ideal solution would be to modify ssh-keygen to disable ECDSA when it is disabled in openssl.

Comment 4 Mike Gilbert gentoo-dev

2013-11-28 21:26:09 UTC

This is already fixed in recent openssh versions.

http://anoncvs.mindrot.org/index.cgi/openssh/ssh-keygen.c?revision=1.231&view=markup
http://anoncvs.mindrot.org/index.cgi/openssh/ssh-keygen.c?r1=1.230&r2=1.231

Comment 5 Mike Gilbert gentoo-dev

2013-11-28 21:37:42 UTC

Created attachment 364164 [details, diff]
Disable ecdsa when openssl does not support it

Can we apply this in openssh-5.9?

Comment 6 SpanKY gentoo-dev

2013-11-28 22:51:41 UTC

i don't see the point of fixing 5.9 if it's already fixed in 6.4

Comment 7 Mike Gilbert gentoo-dev

2013-11-28 22:56:10 UTC

Any plans to stabilize it soon?

Otherwise, stable net-misc/openssh[bindist] will fail to start with the current sshd.service file in systemd.

Comment 8 SpanKY gentoo-dev

2013-11-29 05:57:29 UTC

(In reply to Mike Gilbert from comment #7)

there's already an open bug.  even if there wasn't, any change added for 5.9 wouldn't go straight to stable which means you'd continue to see failures for a while.

Comment 9 Pacho Ramos gentoo-dev

2013-11-29 06:49:39 UTC

I guess floppym's comment was focusing in how long that stabilization of newer version would take because it seems to be a bit stalled and, then, maybe a revision for 5.9 could be done faster

But, if that is no longer the case, no problem of course :)

Comment 10 Mike Gilbert gentoo-dev

2013-11-29 16:14:10 UTC

Nah, I just forgot to search for an open stablereq bug.

My intent was actually to apply the patch without a revbump since it is very limited in scope and affects only a limited number of users; it would get picked up in the next stage build anyway.

I'm fine with waiting for the new version to be stabilized.