according to the openssh mailing list page, this is the spot to report/discuss bugs and i have a potential one. on the other hand, it is probably something i am not doing correctly. the system is red hat linux 6.2 (yuk) running the openssh rpm i grabbed off of the portable openssh site listing, with sshd version OpenSSH_2.9p2 i have it installed via rpm and when i go to launch sshd it gives me this error: Could not load host key: /etc/ssh/ssh_host_key Could not load host key: /etc/ssh/ssh_host_rsa_key Could not load host key: /etc/ssh/ssh_host_dsa_key Disabling protocol version 1. Could not load host key Disabling protocol version 2. Could not load host key sshd: no hostkeys available -- exiting. the "issue" is that those files are there. peep the listing: [root at nbws1 ssh]# pwd /etc/ssh [root at nbws1 ssh]# ls -al total 68 drwxr-xr-x 2 root root 4096 Sep 25 16:33 . drwxr-xr-x 30 root root 4096 Sep 25 15:52 .. -rw-r--r-- 1 root root 26287 Jun 16 21:51 primes -rw-r--r-- 1 root root 1050 Jun 16 21:51 ssh_config -rw------- 1 root root 736 Sep 25 16:08 ssh_host_dsa_key -rw-r--r-- 1 root root 600 Sep 25 16:08 ssh_host_dsa_key.pub -rw------- 1 root root 525 Sep 25 16:06 ssh_host_key -rw-r--r-- 1 root root 329 Sep 25 16:06 ssh_host_key.pub -rw------- 1 root root 951 Sep 25 16:07 ssh_host_rsa_key -rw-r--r-- 1 root root 220 Sep 25 16:07 ssh_host_rsa_key.pub -rw-r--r-- 1 root root 1780 Sep 25 16:50 sshd_config [root at nbws1 ssh]# all of the host key files were generated as recommended on the openssh portable "how to install" web page, which shows this: ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" the only things i did differently are that i inserted passphrases in the above ssh-keygen command lines (between the quotes) and that i edited the sshd_config file to change PermitRootLogin to no. ssh client is fine. sshd finds the keys if i set them world readable but (as it should) declines to use them. so the files are definitely there. what is wrong with my setup? why won't sshd find those keys? the only thing i can think is that sshd doesn't want to run as root (i am launching it from the cli as root) and then it can't read those files. in this case, what is the user that sshd tries to launch as? i cannot find the user name in any documentation.
On Tue, Sep 25, 2001 at 04:55:36PM -0700, voltaic wrote:> according to the openssh mailing list page, this is the spot to > report/discuss bugs and i have a potential one. on the other hand, it is > probably something i am not doing correctly.> the system is red hat linux 6.2 (yuk) running the openssh rpm i grabbed off > of the portable openssh site listing, with sshd version OpenSSH_2.9p2> i have it installed via rpm and when i go to launch sshd it gives me this > error:> Could not load host key: /etc/ssh/ssh_host_key > Could not load host key: /etc/ssh/ssh_host_rsa_key > Could not load host key: /etc/ssh/ssh_host_dsa_key > Disabling protocol version 1. Could not load host key > Disabling protocol version 2. Could not load host key > sshd: no hostkeys available -- exiting.> the "issue" is that those files are there. peep the listing:> [root at nbws1 ssh]# pwd > /etc/ssh > [root at nbws1 ssh]# ls -al > total 68 > drwxr-xr-x 2 root root 4096 Sep 25 16:33 . > drwxr-xr-x 30 root root 4096 Sep 25 15:52 .. > -rw-r--r-- 1 root root 26287 Jun 16 21:51 primes > -rw-r--r-- 1 root root 1050 Jun 16 21:51 ssh_config > -rw------- 1 root root 736 Sep 25 16:08 ssh_host_dsa_key > -rw-r--r-- 1 root root 600 Sep 25 16:08 ssh_host_dsa_key.pub > -rw------- 1 root root 525 Sep 25 16:06 ssh_host_key > -rw-r--r-- 1 root root 329 Sep 25 16:06 ssh_host_key.pub > -rw------- 1 root root 951 Sep 25 16:07 ssh_host_rsa_key > -rw-r--r-- 1 root root 220 Sep 25 16:07 ssh_host_rsa_key.pub > -rw-r--r-- 1 root root 1780 Sep 25 16:50 sshd_config > [root at nbws1 ssh]#> all of the host key files were generated as recommended on the openssh > portable "how to install" web page, which shows this:> ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" > ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" > ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""> the only things i did differently are that i inserted passphrases in the > above ssh-keygen command lines (between the quotes) and that i edited the > sshd_config file to change PermitRootLogin to no.??? I don't think setting passphrases on the host keys is going to work. Try it without. I'll bet that's it.> ssh client is fine. sshd finds the keys if i set them world readable but > (as it should) declines to use them. so the files are definitely there.> what is wrong with my setup? why won't sshd find those keys?> the only thing i can think is that sshd doesn't want to run as root (i am > launching it from the cli as root) and then it can't read those files. in > this case, what is the user that sshd tries to launch as? i cannot find the > user name in any documentation.I'll bet it's the passphrases. I don't know anyone who has tried host keys with passphrases and I don't know anything you might gain, even if you were always going to start sshd manually and enter all three passphrases at startup. Anyone who could read the key files would have broken root on your system and can access kernel memory and/or trojan the binary and later steal the unencrypted key and/or passphrase. Even then, it would only be good for spoofing your system for a MITM attack which would STILL require effort to play games with a box he had already busted and rooted to the core. Not worth the effort for the value that key has. Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Circa 2001-Sep-25 16:55:36 -0700 dixit voltaic:
: according to the openssh mailing list page, this is the spot to
: report/discuss bugs and i have a potential one. on the other hand,
: it is probably something i am not doing correctly.
Correct. See below.
: the system is red hat linux 6.2 (yuk) running the openssh rpm i
: grabbed off of the portable openssh site listing, with sshd version
: OpenSSH_2.9p2
:
: i have it installed via rpm and when i go to launch sshd it gives me
: this error:
:
: Could not load host key: /etc/ssh/ssh_host_key
: Could not load host key: /etc/ssh/ssh_host_rsa_key
: Could not load host key: /etc/ssh/ssh_host_dsa_key
: Disabling protocol version 1. Could not load host key
: Disabling protocol version 2. Could not load host key
: sshd: no hostkeys available -- exiting.
:
: the "issue" is that those files are there. peep the listing:
[...]
: all of the host key files were generated as recommended on the openssh
: portable "how to install" web page, which shows this:
:
: ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
: ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
: ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
:
: the only things i did differently are that i inserted passphrases in the
: above ssh-keygen command lines (between the quotes)
Don't do that. Host keys may not have passphrases. Sshd can't load
them if they do (as you've found). You should use passphrases with
your per-user keys, but not with host keys.
Note that /etc/rc.d/initd/sshd generates the host keypairs
automagically when sshd first starts, if the keys don't exist. You can
simply remove the passphrased host keys, then start sshd:
su
rm /etc/ssh/ssh*_key*
/etc/rc.d/init.d/sshd start
The initscript generates new host keypairs, then starts sshd.
: and that i edited the sshd_config file to change PermitRootLogin to
: no.
:
: ssh client is fine. sshd finds the keys if i set them world
: readable but (as it should) declines to use them. so the files are
: definitely there.
:
: what is wrong with my setup? why won't sshd find those keys?
[Answer above.]
: the only thing i can think is that sshd doesn't want to run as root
: (i am launching it from the cli as root) and then it can't read
: those files. in this case, what is the user that sshd tries to
: launch as? i cannot find the user name in any documentation.
Sshd must start as root, for two main reasons:
(1) By default, it listens on a privileged port (portnumber 22).
(While you can tell sshd to listen on a non-privileged, port, it
still must run as root for reason [2] below).
(2) In order to run as the user who logs in (or runs a command) via
ssh, sshd uses seteuid(), setuid(), and other system calls which
require privilege.
--
jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 262 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010925/0c778bc7/attachment.bin
Apparently Analagous Threads
- [patch/Cygwin]: Simplify host key generation in ssh-host-config script
- [PATCH node-image] Add ability to set persistent ssh_host_keys on the node, usefull if you run diskless instance of ovirt-node
- unexpected behaviour in OpenSSH_3.7.1
- Problem with sshd host key checking, for my own build with custom prefix
- ssh-keygen: passphrase.