Re: Warning: old key(s) found and disabled.

Mon, 25 Nov 2019 01:58:13 -0800 


On 2019/11/25 02:19, Guus Sliepen wrote:

On Sun, Nov 24, 2019 at 04:52:41PM -0500, Frank Myhr wrote:


Well, I goofed and entered the wrong network name while trying to
set up keys for a new network:
# tincd -n existing_net -K Generating 2048 bits keys: ............................................+++++ p ..................................................................+++++ q Done. Please enter a file to save private RSA key to [/etc/tinc/existing_net/rsa_key.priv]: Warning: old key(s) found and disabled. Please enter a file to save public RSA key to [/etc/tinc/existing_net/hosts/host_on_existing_net]: ^C 

I realized my error when tinc warned me, thus the ^C. Now
/etc/tinc/existing_net/rsa_key.priv has been replaced, while /etc/tinc/existing_net/hosts/host_on_existing_net still contains 
the old public key.

When tinc says it "disabled" the old key, did it it in fact
*delete* it?


No, it did not. The old key is still in rsa_key.priv, between
markers that say "BEGIN OLD" and "END OLD". To recover the old key,
remove the new key (which has been placed after the old one), and
change the words "OLD" to "RSA".


I assume it will lose access when tinc is restarted unless I fix
the config.


Correct. I hope this helps!
Yes! Thank you very much, that helps a lot! tinc's behavior now makes good sense. I should have taken a closer look at the old key file, I just saw that its modification date and signature had changed, didn't think to actually look inside...!
Still, I'd prefer tincd to issue a warning and prompt for confirmation *before* it proceeds to overwrite an existing key.
It doesn't ever overwrite old keys. And it does print out a warning when it disables an old key. But I can indeed add a prompt in this case that asks whether to update the key files or not.
It's great that tinc doesn't overwrite old keys, thank you very much for explaining that. That said, having that prompt would have saved me some (more) gray hairs yesterday.
As it was, I finally remembered that the filesystem in question was on ZFS. So recovering the old key file was as easy as copying it back from a recent snapshot.
Of course if I manage to do this again (!) I'll simply edit the key file as you point out. 

Thanks!
Frank
_______________________________________________
tinc mailing list
tinc@tinc-vpn.org
https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

Reply via email to