Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dropbear does not work on fresh installation #83

Open
Id2ndR opened this issue Feb 11, 2021 · 2 comments
Open

Dropbear does not work on fresh installation #83

Id2ndR opened this issue Feb 11, 2021 · 2 comments
Labels
bug

Comments

@Id2ndR
Copy link

Id2ndR commented Feb 11, 2021
edited
Loading

Version used: mkinitcpio-systemd-tool 36-1.

This issue is related to #17 and https://bugs.archlinux.org/task/60523: on fresh install, ssh host_keys are generated before installing dropbear, do mkinitcpio show errors like this:

    convert openssh to dropbear host key: /etc/dropbear/dropbear_ecdsa_host_key
==> ERROR: command failure (1): dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/dropbear_ecdsa_host_key 
Error: Unsupported OpenSSH key type
Error reading key from '/etc/ssh/ssh_host_ecdsa_key'

Then, the initrd-dropbear unit seems to start on reboot, but the ssh port (22) is not binded. In fact, starting dropbear with -E option allows to see that it exit immediatly with return code 1:

[20033] Feb 11 22:12:21 Failed loading /etc/dropbear/dropbear_rsa_host_key
[20033] Feb 11 22:12:21 Failed loading /etc/dropbear/dropbear_ecdsa_host_key
[20033] Feb 11 22:12:21 Failed loading /etc/dropbear/dropbear_ed25519_host_key
[20033] Feb 11 22:12:21 Early exit: No hostkeys available. 'dropbear -R' may be useful or run dropbearkey.

The problem is that using ssh-keygen -A -m PEM command, like explained in the unit, does not help because it does not replace existing keys.

Solutions:

  • a workaround is to remove the existing keys /etc/ssh/ssh_host_*key* before using the command ssh-keygen -A -m PEM.
  • a better solution is to convert the existing keys with these commands, providing an empty password when promped: 
    for format in dsa ecdsa ed25519 rsa; do
  ssh-keygen -A -p -m PEM -f /etc/ssh/ssh_host_${format}_key
done

Then mkinitcpio shoud be run again.
pierrou-andreas added a commit to pierrou-andreas/mkinitcpio-systemd-tool that referenced this issue Aug 28, 2021
@pierrou-andreas
"ssh-keygen -A -m PEM" does not work.
1d04d79 
random-archer#83

The manpage of ssh-keygen describes option "-A" as
"For each of the key types (rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys [...]."

But since the host keys in /etc/ssh/ already exists (because they are generated on the first invocation of sshd), nothing will be generated/regenerated/converted. Id2ndR suggested the for-loop method instead.
@pierrou-andreas
Copy link

The problem is that using ssh-keygen -A -m PEM command, like explained in the unit, does not help because it does not replace existing keys.

* a better solution is to convert the existing keys with these commands, providing an empty password when promped:
  ```
  for format in dsa ecdsa ed25519 rsa; do
    ssh-keygen -A -p -m PEM -f /etc/ssh/ssh_host_${format}_key
  done
  ```

Then mkinitcpio shoud be run again.

Hi! I just want to confirm that the problem of running ssh-keygen -A -m PEM still persists on OpenSSH 8.7p1-1. Isn't the use of option -A in order to convert to PEM-format inherently incorrect as it only creates files that don't already exist?

The manpage of ssh-keygen describes option -A as

For each of the key types (rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys [...].

But since the host keys in /etc/ssh/ already exists (because they are generated on the first invocation of sshd), nothing will be generated/regenerated/converted. Is it OK to change the comment in the initrd-dropbear.service so that new users won't be confused? I made a pull request with the above-suggested for-loop instead of ssh-keygen -A -m PEM since I don't have write access to the project.

ghthor added a commit to ghthor/mkinitcpio-dropbear that referenced this issue Sep 26, 2021
@ghthor
Add a suggestion to convert keyfiles to PEM format
35be01b 
This is a fairly silent error that occurs because the output
of the dropbearconvert wasn't checked and the return_code was
still being set to zero even if dropbearconvert failed. I found
the suggestion to convert the existing keys to PEM format in an
issue[1] for systemd-tool and I've converted the suggestion to an
echo statement during a failure to convert the keys when running
mkinitcpio when dropbear hook is enabled.

[1] random-archer/mkinitcpio-systemd-tool#83
ghthor added a commit to ghthor/mkinitcpio-dropbear that referenced this issue Sep 26, 2021
@ghthor
Add a suggestion to convert keyfiles to PEM format
786bedb 
This commit adds additional output to the following Error
message informing the user they need to convert their existing
ssh_host key files to PEM format.

```
Error: Unsupported OpenSSH key type
Error reading key from '/etc/ssh/ssh_host_rsa_key'
Error: Unsupported OpenSSH key type
Error reading key from '/etc/ssh/ssh_host_ecdsa_key'
```

I found the suggestion to convert the existing keys to PEM format in
an issue[1] for systemd-tool and I've converted the suggestion to an
echo statement during a failure to convert the keys when running
mkinitcpio when dropbear hook is enabled.

Also this change stops swallowing this error. The new behavior is,
if dropbear convert was unable to convert any existing `ssh_host`
key files then `generate_keys` will be run. This prevents an initramfs
being generated without any host keyfiles. This is the same behavior
that occurs when NO existing `ssh_host` keyfiles exist.

[1] random-archer/mkinitcpio-systemd-tool#83
@ghthor ghthor mentioned this issue Sep 26, 2021
Open
@ghthor
Copy link

ghthor commented Sep 26, 2021

I believe the for loop version of this fix does not need the -A flag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ghthor @Id2ndR @Andrei-Pozolotin @pierrou-andreas