[Bug 876910] Re: When starting open ssh server without host keys in /etc/ssh/, the keys are not automatically generated.

Clint Byrum clint at fewbar.com
Tue Oct 18 05:36:34 UTC 2011 

Excerpts from Jon's message of Mon Oct 17 23:27:30 UTC 2011:
> Hello Clint,
> 
> >> sshd is no longer started and/or stopped with /etc/init.d/ssh unless you are running inside a chroot.
> I'm new to upstart, so forgive my ignorance, but I thought upstart still used the init scripts to start and/or stop the jobs.
> 

No, upstart jobs are designed to be short and pointed ways to define how
a daemon starts and stops. /etc/init.d is only for backward compatibility
in an upstart system. The ssh init.d script was left the way it is because
of chroot jails for sshd, but it is not necessary for normal operation.

> >> The host keys are typically generated in the postinstall script of openssh-server.
> I think this may be the issue.
> 
> >> So if you don't have keys, its likely that something went wrong during that process.
> Well, I suppose this is true, but in this particular case, I intentionally remove them as a final step to prepare a base image for use with QEMU-KVM.  It is a security concern to have multiple guest VMs all running with the same SSH key. 
> 
> >> Try this to remedy the situation.
> >> sudo apt-get install openssh-server --reinstall
> Two things,
> 
> 1) Why not: 
> dpkg-reconfigure openssh-server
> As this seems to be a more direct route?  Again, maybe I'm not seeing all of the pieces.

Yeah, thats probably better. What was I thinking? ;)

> 
> 2) In the Development environment both of these solutions will work,
> however, this is not scalable and is not a viable solution in a
> production environment.
> 

Not sure why this isn't scalable... its not that heavy of a command and
it should be idempotent.

> Thanks for your quick response.  As is my experience with other non-
> upstart distros, SSH automatically creates these host keys if they don't
> exist, it is my strong personal belief that Ubuntu should not deviate
> from the norm for two reasons, first to remain consistent with 'Linux'
> (other distros) , and second so I can present a viable solution to my
> management using an Ubuntu platform. Please let me know if you think I'm
> way off here, I really do appreciate the assistance.
> 

I do think its a bit odd that they are generated at install time rather
than whenever they are missing, but either way, its a well defined
behavior and so can be worked with fairly easily by removing and
regenerating the keys at first boot. An upstart job like this
would probably work:


start on starting ssh
task

exec [ -f /etc/ssh/ssh_host_dsa_key ] || ssh-keygen -t dsa -b 4096 -f
/etc/ssh/ssh_host_dsa_key -q

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/876910

Title:
  When starting open ssh server without host keys in /etc/ssh/, the keys
  are not automatically generated.

Status in “openssh” package in Ubuntu:
  Incomplete

Bug description:
  System Information
  1) lsb_release -rd
  Description:    Ubuntu 11.10
  Release:        11.10

  SSH Version
  2) apt-cache policy openssh-server
  openssh-server:
    Installed: 1:5.8p1-7ubuntu1
    Candidate: 1:5.8p1-7ubuntu1
    Version table:
   *** 1:5.8p1-7ubuntu1 0
          500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
          100 /var/lib/dpkg/status

  Expected Behavior:
  3) SSH should automatically create host keys when it detect the host keys are not present in /etc/ssh

  Observed Behavior:
  4) SSH did not generate host keys

  Solution:
  5) Created the attached patch to resolve the issue locally.  Presented as a solution to the problem.
  -- Check for existence of /etc/ssh/*_host_*
  -- create host keys unless exists

  ProblemType: Bug
  DistroRelease: Ubuntu 11.10
  Package: openssh-server 1:5.8p1-7ubuntu1
  ProcVersionSignature: Ubuntu 3.0.0-12.20-server 3.0.4
  Uname: Linux 3.0.0-12-server x86_64
  ApportVersion: 1.23-0ubuntu3
  Architecture: amd64
  Date: Mon Oct 17 16:12:28 2011
  InstallationMedia: Ubuntu-Server 11.10 "Oneiric Ocelot" - Release amd64 (20111011)
  ProcEnviron:
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: openssh
  UpgradeStatus: No upgrade log present (probably fresh install)
  mtime.conffile..etc.init.d.ssh: 2011-10-17T15:57:55.578332

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/876910/+subscriptions

More information about the foundations-bugs mailing list