Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 457026

Summary: net-misc/openssh: no host keys generated on systemd based system
Product: Gentoo Linux Reporter: Konstantin (elxa) <ktrackfd>
Component: [OLD] Core systemAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED FIXED    
Severity: normal CC: alexander, dschridde+gentoobugs, ktrackfd, lxnay, nikoli, steffen.weber, systemd, thev00d00
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=831762
Whiteboard:
Package list:
Runtime testing required: ---

Description Konstantin (elxa) 2013-02-13 00:22:36 UTC
because systemd users don't use /etc/init.d/sshd the host keys are never gerated

Reproducible: Always

Steps to Reproduce:
1. install openssh on a system using systemd as init
2. start openssh (systemctl start sshd)
Actual Results:  
$ systemctl status sshd
sshd.service - OpenSSH server daemon
	  Loaded: loaded (/usr/lib64/systemd/system/sshd.service; disabled)
	  Active: inactive (dead) since Wed 2013-02-13 01:13:05 CET; 4s ago
	 Process: 26074 ExecStart=/usr/sbin/sshd -D -e (code=exited, status=0/SUCCESS)

Feb 13 01:12:41 gentoodesktop systemd[1]: Starting OpenSSH server daemon...
Feb 13 01:12:41 gentoodesktop systemd[1]: Started OpenSSH server daemon.
Feb 13 01:12:41 gentoodesktop sshd[26074]: Could not load host key: /etc/ssh/ssh_host_rsa_key
Feb 13 01:12:41 gentoodesktop sshd[26074]: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

Expected Results:  
handling host key geration at install time, not start time

possible solution is running this as root:

1. source /etc/init.d/sshd
2. genkeys
3. restart sshd (systemctl restart sshd)

after restart:

$ systemctl status sshd
sshd.service - OpenSSH server daemon
	  Loaded: loaded (/usr/lib64/systemd/system/sshd.service; disabled)
	  Active: inactive (dead) since Wed 2013-02-13 01:13:05 CET; 4s ago
	 Process: 26074 ExecStart=/usr/sbin/sshd -D -e (code=exited, status=0/SUCCESS)

Feb 13 01:12:41 gentoodesktop systemd[1]: Starting OpenSSH server daemon...
Feb 13 01:12:41 gentoodesktop systemd[1]: Started OpenSSH server daemon.
Feb 13 01:12:41 gentoodesktop sshd[26074]: Could not load host key: /etc/ssh/ssh_host_rsa_key
Feb 13 01:12:41 gentoodesktop sshd[26074]: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Feb 13 01:12:41 gentoodesktop sshd[26074]: Server listening on 0.0.0.0 port 22.
Feb 13 01:12:41 gentoodesktop sshd[26074]: Server listening on :: port 22.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2013-02-13 19:45:05 UTC
How about adding pkg_config() to generate keys?
Comment 2 Mike Gilbert gentoo-dev 2013-02-13 20:10:04 UTC
Fedora uses shell script which is invoked in ExecStartPre. We could rip code out of the Gentoo init script to do the same.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2013-02-13 22:02:36 UTC
(In reply to comment #2)
> Fedora uses shell script which is invoked in ExecStartPre. We could rip code
> out of the Gentoo init script to do the same.

We could also do it the proper way and not expect starting services to modify system configuration.
Comment 4 Mike Gilbert gentoo-dev 2013-02-13 22:17:56 UTC
(In reply to comment #3)
> We could also do it the proper way and not expect starting services to
> modify system configuration.

You really think the user should be required to explicitly generate keys for this? That's just silly.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2013-02-13 22:32:55 UTC
I just think that the ebuild which does install SSH is responsible for generating keys, not the service manager which starts it.
Comment 6 Mike Gilbert gentoo-dev 2013-02-13 23:06:30 UTC
Unfortunately, I don't think the ebuild can do it automatically (pkg_postinst) since openssh is part of the stage3 tarball. We would end up distributing keys in stage3, which would be bad.

If we do it via pkg_config, that requires manual user action to be run. I think that generating the keys the first time sshd is started is less confusing.
Comment 7 Mike Gilbert gentoo-dev 2013-02-14 00:37:30 UTC
Either way we do it, it seems the code could be greatly simplified by just calling ssh-keygen -A.

     -A      For each of the key types (rsa1, rsa, dsa and ecdsa) for which
             host keys do not exist, generate the host keys with the default
             key file path, an empty passphrase, default bits for the key
             type, and default comment.  This is used by /etc/rc to generate
             new host keys.
Comment 8 SpanKY gentoo-dev 2013-02-19 06:52:12 UTC
yes, it doesn't make sense for the ebuild to do it.  adding a pkg_config step wouldn't help either.
Comment 9 Mike Gilbert gentoo-dev 2013-02-20 18:21:40 UTC
My suggestion would be to add ExecStartPre=/usr/bin/ssh-keygen -A to sshd.service.

Any objections?
Comment 10 Ian Whyman (thev00d00) (RETIRED) gentoo-dev 2013-04-04 19:28:32 UTC
(In reply to comment #9)
> My suggestion would be to add ExecStartPre=/usr/bin/ssh-keygen -A to
> sshd.service.
> 
> Any objections?

I personally think we should split the existing code from the init script and call that from both places, it would be the most consistent way.

Sabayon have done something similar already[1], by calling the the split out file "sshd-functions.sh" from both places.

1: https://git.sabayon.org/overlays/for-gentoo.git/diff/?id=886c4b9
Comment 11 Mike Gilbert gentoo-dev 2013-04-04 19:38:04 UTC
(In reply to comment #10)

Alternatively, we could replace the gen_keys function in the init script with a simple "ssh-keygen -A" if consistency is a real concern.
Comment 12 Ian Whyman (thev00d00) (RETIRED) gentoo-dev 2013-04-04 19:50:03 UTC
(In reply to comment #11)
> (In reply to comment #10)
> 
> Alternatively, we could replace the gen_keys function in the init script
> with a simple "ssh-keygen -A" if consistency is a real concern.

So long as its the same method in both places, then I don't see an issue :)
Comment 13 Fabio Erculiani (RETIRED) gentoo-dev 2013-04-04 21:44:03 UTC
ExecStartPre= is the way to go. Whatever is the rest about, I am not that worried.
Generating the host key through pkg_config doesn't make sense.
Comment 14 Mike Gilbert gentoo-dev 2013-04-04 22:00:37 UTC
+  04 Apr 2013; Mike Gilbert <floppym@gentoo.org> files/sshd.service:
+  Add ExecStartPre=/usr/bin/ssh-keygen -A to sshd.service. Bug 457026.

I leave it to the maintainers to decide if they want to do the same for the init script.
Comment 15 SpanKY gentoo-dev 2013-04-24 03:06:39 UTC
(In reply to comment #14)

looks like -A is new to 5.9_p1.  the init.d logic predates that significantly.

the ssh-keygen flag doesn't support an alternative sshd config, but it looks like we're already not really handling that correctly (parsing HostKey out), so maybe it doesn't matter.

http://sources.gentoo.org/net-misc/openssh/files/sshd.rc6.4?r1=1.2&r2=1.3