On Fri, Apr 03, 2015 at 12:34:38AM -0500, Scott Collier wrote: > I was testing cockpit on the F22 Atomic image and ran into this issue. > Cockpit would start, but I could not connect to it because SSH was having a > problem. The error cockpit gave after trying to login to the web interface > was: > > "Couldn't connect or authenticate: no-host" > > This may have been brought up before, I didn't dig into existing issues. > > The problem was permissions on these two files: > > /etc/ssh/ssh_host_ecdsa_key > /etc/ssh/ssh_host_rsa_key > > The message from "systemctl status sshd" was: > > # systemctl status sshd > ??? sshd.service - OpenSSH server daemon > Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor > preset: enabled) > Active: active (running) since Fri 2015-04-03 05:27:21 UTC; 7s ago > Docs: man:sshd(8) > man:sshd_config(5) > Main PID: 5183 (sshd) > Memory: 844.0K > CGroup: /system.slice/sshd.service > ??????5183 /usr/sbin/sshd -D > > Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: @ WARNING: > UNPROTECTED PRIVATE KEY FILE! @ > Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: Permissions 0640 for > '/etc/ssh/ssh_host_rsa_key' are too open. > Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: It is required that your > private key files are NOT accessible by others. > Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: This private key will be > ignored. > Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: key_load_private: bad > permissions > Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: Could not load host key: > /etc/ssh/ssh_host_rsa_key > Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: Server listening on > 0.0.0.0 port 22. > Apr 03 05:27:21 atomic-00.localdomain sshd[5183]: Server listening on :: > port 22. > > So, I changes the permissions on both files to 600 and restarted sshd, then > cockpit was able to connect.
So what I get by default if I start ssh and those files don't exist is: -bash-4.3# ls -l ssh_host_rsa_key -rw-r-----. 1 root ssh_keys 1679 Apr 8 15:26 ssh_host_rsa_key So the perms can be 640 as long as the group is 'ssh_keys'. If I change the group to 'root' then I get the warning when starting sshd. When I start up an instance on openstack I get the permissions/ownership as shown above which means I don't get any errors. What environment are you using? Does it inject the keys into the image? Dusty
