[Bug 281228] New: /etc/init.d/sshd has hardcoded ssh_host_keys
https://bugzilla.novell.com/show_bug.cgi?id=281228 Summary: /etc/init.d/sshd has hardcoded ssh_host_keys Product: openSUSE 10.2 Version: Final Platform: All OS/Version: openSUSE 10.2 Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: anicka@novell.com ReportedBy: lrupp@novell.com QAContact: qa@suse.de /etc/init.d/sshd contains: case "$1" in start) if ! test -f /etc/ssh/ssh_host_key ; then echo Generating /etc/ssh/ssh_host_key. ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N '' fi [...] But as described in /etc/ssh/sshd_config : HostKey /etc/ssh/ssh_host_key The hostkey is a config option and can be changed by the user. So the init script should first check the config file and afterwards create and/or use the correct hostkey as described in the config and no hardcoded keyfile. Using a fallback is no problem here, but generating the files even if the user has decided to use other names for them is irritating. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=281228 anicka@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nadvornik@novell.com Severity|Normal |Enhancement Status|NEW |NEEDINFO Info Provider| |lrupp@novell.com ------- Comment #1 from anicka@novell.com 2007-06-06 06:04 MST ------- Actually I do not understand why we should support a non-standard location for a hostkey. I just do not think it is a good idea to add an extra complexity to the init script when no one will need it anyway (and if anyone really has to change a location of a hostkey, although I cannot imagine why, he can easily fix the script on his own). BTW, as far as I know, no distribution does something like that, so it really does not look like a desired option. Why do you think functionality like this is neccessary, why would anyone change the location of a hostkey (without changing location of other config files because then we cannot help him anyway)? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=281228 lrupp@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|lrupp@novell.com | ------- Comment #2 from lrupp@novell.com 2007-06-06 09:35 MST -------
Why do you think functionality like this is neccessary, why would anyone change the location of a hostkey (without changing location of other config files because then we cannot help him anyway)?
Because changing the location of a hostkey is _explicit_ allowed - otherwise we don't need this variables in the config file at all, do we? I just don't see a problem confusing a customer with creating keys he didn't want to use. Creating the keys "automatically" _is_ extra complexity in the init script. So if you want to avoid complexity, just remove this part. Otherwise just a simple if statement can do the "magic" to fix this: ----------------------------------------------- --- sshd.org 2007-06-06 17:19:21.000000000 +0200 +++ sshd 2007-06-06 17:30:58.000000000 +0200 @@ -43,6 +43,7 @@ case "$1" in start) + if ! grep -v \# /etc/ssh/sshd_config | grep -q HostKey; then if ! test -f /etc/ssh/ssh_host_key ; then echo Generating /etc/ssh/ssh_host_key. ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N '' @@ -57,6 +58,7 @@ ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N '' fi + fi echo -n "Starting SSH daemon" ## Start daemon with startproc(8). If this fails ## the echo return value is set appropriate. ----------------------------------------------- So I don't see a big problem here. ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=281228 anicka@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |lrupp@novell.com ------- Comment #3 from anicka@novell.com 2007-06-06 14:25 MST -------
Creating the keys "automatically" _is_ extra complexity in the init script. So if you want to avoid complexity, just remove this part.
This is actually a good point. There is no good reason to generate the key in init script, I think it should be done in %post instead - first, we should not expect that /etc is writable when init script is executed, second, sshd could run without running init script out of the box just after installing the package. Would you be content with that solution? I know it is easy to implement your patch, I just do not think it is a good approach. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=281228 bugzilla_opensuse@ojkastl.de changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bugzilla_opensuse@ojkastl.de ------- Comment #4 from bugzilla_opensuse@ojkastl.de 2007-06-07 03:10 MST ------- I came across this bug and this behaviour some days ago. I thought about it, and wondered: Why do we need to create the keys at all? What would the sshd say if there were no keys available? I haven't tried yet, but am going to do so later. I would have expected to have the key-creation feature in sshd, not in an init-script. Or at least, to check if there should be a different name for the keys. Additionally, if I disable SSHv1 in sshd_config (via "Protocol 2"), why should a Key for version 1 be created? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=281228 ------- Comment #5 from bugzilla_opensuse@ojkastl.de 2007-06-07 03:19 MST ------- I answer myself: I created /etc/ssh/sshd_config-TEST, and changed the entrys: # HostKey for protocol version 1 HostKey /etc/ssh/ssh_host_key--TEST # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key--TEST HostKey /etc/ssh/ssh_host_dsa_key--TEST Then I started sshd without creating the keys: ===================================================== #/usr/sbin/sshd -f /etc/ssh/sshd_config-TEST Could not load host key: /etc/ssh/ssh_host_key--TEST Could not load host key: /etc/ssh/ssh_host_rsa_key--TEST Could not load host key: /etc/ssh/ssh_host_dsa_key--TEST Disabling protocol version 1. Could not load host key Disabling protocol version 2. Could not load host key sshd: no hostkeys available -- exiting. ===================================================== So, the keys must be present. I would like to see an automatic check in /etc/init.d/sshd, to see wether other names for the keys should be used. Of course one could change /etc/init.d/sshd to match the keynames, but what would happen if there is an update for that script? And, as Lars said, other keynames are explicitly allowed, so this should be possible. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=281228 ------- Comment #6 from nadvornik@novell.com 2007-06-07 03:27 MST ------- We want to minimize the chance that sshd won't start after reboot. From this point of view checking and generating keys in init script is IMHO the most safe variant. I think the init script can be fixed according to the initial comment, "parsing" the config file with grep does not seem to be much overhead. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=281228 ------- Comment #7 from martin@oneiros.de 2007-06-07 07:31 MST ------- I see no real reason to add extra code for "fixing" this: The worst that can happen is that keys are generated at the default locations and not used by sshd. Remember: If it ain't broken, don't fix it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=281228 wolfgang@erlenkoetter.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wolfgang@erlenkoetter.net ------- Comment #8 from wolfgang@erlenkoetter.net 2007-06-07 07:52 MST ------- Maybe the simplest solution would be to have a switch at /etc/sysconfig/ssh whether to create the keys or not. Wouldn't be this a feature enhancenment? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=281228 ------- Comment #9 from anicka@novell.com 2007-06-08 02:13 MST ------- I just still do not understand why generating in the init script is more secure than generating in the %post (I think it is not up to us to take care that user did not delete the keys after they were generated and I cannot see other advantage.) - Vladimir? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=281228 ------- Comment #10 from nadvornik@novell.com 2007-06-08 04:04 MST ------- I think that in this specific case we can try to detect if the configuration was broken by the user and try to fix it, if the effort is not too big. The best place to do this is in the init script, just before sshd is started. This is not a general rule, but sshd is specific, because it is the only way to access the machine remotely. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=281228 lrupp@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|lrupp@novell.com | ------- Comment #11 from lrupp@novell.com 2007-06-12 05:03 MST ------- I follow the arguments in comment #10 and welcome the "extra check" in the init script very much (/me thoughs about unreachable servers after a reboot...). If other distributions don't pay attention for a non starting ssh-server - I have no problem with this ;-) I just want to avoid confused customers who look at the boot messages and see "new" keys generated even if they have adapted the config file. And yes: my patch is just a "proof of concept" - and shouldn't be the final one. But I would prefer to have it in the init script and not in %post. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=281228 anicka@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Comment #12 from anicka@novell.com 2007-06-12 07:29 MST ------- OK, so be it. I just hope that syntax of the config file will not change in the future (but I do not think so) as it could lead to really nasty problems ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=281228#c13 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #13 from Anna Bernathova <anicka@novell.com> 2007-08-21 04:04:23 MST --- Fix submitted. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com