- Package:
- openssh-server
- Source:
- openssh
- Description:
- secure shell (SSH) server, for secure access from remote machines
- Submitter:
- Michael Prokop
- Date:
- 2021-10-05 10:57:17 UTC
- Severity:
- wishlist
I mentioned this issue in my talk "State of Debian (based) Linux live systems in 2010" at Debconf10. Colin suggested to talk about it later on, so I'm reporting this as a wishlist item. It would be nice if the sshd init script would support generation of ssh host keys - iff there aren't any keys present yet. The (main) use case for this feature are live systems where you usually don't want to ship pre-generated keys on one hand, on the other hand not everyone wants to generate the host keys automatically on each boot (consuming time and ressources). Taking care of key generation as someone invokes '/etc/init.d/ssh start' works fine for the Grml live systems and its users. What we're doing is something as simple as: ,---- [ relevant snipped of Grml's ssh initscript ] | RSA1_KEY=/etc/ssh/ssh_host_key | RSA_KEY=/etc/ssh/ssh_host_rsa_key | DSA_KEY=/etc/ssh/ssh_host_dsa_key | | case "$1" in | start) | [...] | if ! test -f $RSA1_KEY ; then | log_action_msg "Generating SSH1 RSA host key..." | $KEYGEN -t rsa1 -f $RSA1_KEY -C '' -N '' || exit 1 | fi | | if ! test -f $RSA_KEY ; then | log_action_msg "Generating SSH RSA host key..." | $KEYGEN -t rsa -f $RSA_KEY -C '' -N '' || exit 1 | fi | | if ! test -f $DSA_KEY ; then | log_action_msg "Generating SSH2 DSA host key..." | $KEYGEN -t dsa -f $DSA_KEY -C '' -N '' || exit 1 | fi | [...] `---- Would be great if that feature would be available in Debian/Ubuntu based (live) systems as well. :) regards, -mika-
I wonder if we should just create a openssh-host-keys package that ships a systemd unit/init script to create the keys (as (I think it was Christian) suggested at debconf. This just came up here as well https://www.redhat.com/archives/libguestfs/2016-July/msg00090.html Cheers, -- Guido
Hi, Michael is grml working around this somehow? If so can you attach a link? Cheers, -- Guido
Hi, I have moved things into a Debian package now: https://source.puri.sm/Librem5/gen-sshd-host-keys I'm wonder if we should upload this to Debian as a separate package given it only contains one script but since this is such a common thing it would be good if we'd have easy support. Cheers, -- Guido
Have you tried "ssh-keygen -A" ? I believe it would be the simplest way to generated the missing host keys. Regards, Simon
Hi, I want to only generate the ones enabled in sshd_config (similar to what sshd's postinst does). Cheers, -- Guido
Hi! Guido, sorry for not coming back to you earlier :( * Guido Günther [Wed Sep 19, 2018 at 11:18:37AM +0200]: Nowadays™ with systemd we use our own ssh.service, which looks like that: https://github.com/grml/grml-live/blob/8078724d5fa78f0b8fe0471b94368c58f204ee11/etc/grml/fai/config/files/etc/systemd/system/ssh.service/GRMLBASE Your gen-sshd-host-keys package LGTM and sounds like a good thing to have in Debian, especially for all the derivatives. regards, -mika-
Michael Prokop wrote:
Can we (Debian, not GRML) please just add
ExecStartPre=ssh-keygen -A
to Debian's default ssh.service?
Is there any DOWNSIDE to doing that?
It appears to be fully idempotent.
This doesn't work because it runs after sshd -t (which fails if keys don't exist):
$ systemctl edit ssh
[Service]
ExecStartPre=ssh-keygen -A
Instead you have to do this, which is a bit yukky:
$ systemctl edit ssh
[Service]
# Remove upstream's "sshd -t"
ExecStartPre=
ExecStartPre=ssh-keygen -A
# Re-add "sshd -t" AFTER ssh-keygen.
ExecStartPre=sshd -t
Or if you are scared the "sshd -t" copy-paste might get out of sync, you have to do a whole separate unit:
$ systemctl edit ssh-keygen --force --full
[Service]
Type=oneshot
ExecStart=ssh-keygen -A
[Install]
RequiredBy=ssh.service
[Unit]
Before=ssh.service
$ systemctl enable ssh-keygen
Note that Debian Live images still have to remove the keys generated
at image build time, i.e. something like this:
mmdebstrap --include=ssh '--customize-hook=rm -fv $1/etc/ssh/ssh_host_*_key*'
It is worth supporting opt-out of install-time host key generation
(i.e. a new preseed option, checked by openssh-server.postinst)?
What I would IDEALLY like is the same behaviour as tinysshd and dropbear,
which is to defer host key generation until an actual SSH connection needs it.
For Debian Live images, this not only simplifies setup,
it also means there's more likely to be a good source of entropy.
(I guess that's really a separate ticket to file upstream, though.)
I have always been extremely reluctant to do this because of the possible downsides explained in https://factorable.net/weakkeys12.extended.pdf. At the very least it requires lots of care to ensure that sufficient entropy is available; this can't be brushed off as something that we might be able to take care of later.