Bug#594175: openssh-server: support generation of ssh host keys in init script
On Tue, Oct 05, 2021 at 09:21:33PM +1100, Trent W. Buck wrote: > Michael Prokop wrote: > > Nowadays™ with systemd we use our own ssh.service, which looks like that: > > > > > > https://github.com/grml/grml-live/blob/8078724d5fa78f0b8fe0471b94368c58f204ee11/etc/grml/fai/config/files/etc/systemd/system/ssh.service/GRMLBASE > > Can we (Debian, not GRML) please just add > ExecStartPre=ssh-keygen -A > to Debian's default ssh.service? > Is there any DOWNSIDE to doing that? > It appears to be fully idempotent. I have always been extremely reluctant to do this because of the possible downsides explained in https://factorable.net/weakkeys12.extended.pdf. At the very least it requires lots of care to ensure that sufficient entropy is available; this can't be brushed off as something that we might be able to take care of later. -- Colin Watson (he/him) [cjwat...@debian.org]
Bug#594175: openssh-server: support generation of ssh host keys in init script
Hi! Guido, sorry for not coming back to you earlier :( * Guido Günther [Wed Sep 19, 2018 at 11:18:37AM +0200]: > On Wed, Jan 10, 2018 at 10:36:51AM +0100, Guido Günther wrote: > > Michael is grml working around this somehow? If so can you attach a > > link? Nowadays™ with systemd we use our own ssh.service, which looks like that: https://github.com/grml/grml-live/blob/8078724d5fa78f0b8fe0471b94368c58f204ee11/etc/grml/fai/config/files/etc/systemd/system/ssh.service/GRMLBASE > I have moved things into a Debian package now: > https://source.puri.sm/Librem5/gen-sshd-host-keys > I'm wonder if we should upload this to Debian as a separate package > given it only contains one script but since this is such a common thing > it would be good if we'd have easy support. Your gen-sshd-host-keys package LGTM and sounds like a good thing to have in Debian, especially for all the derivatives. regards, -mika- signature.asc Description: Digital signature
Bug#594175: Bug#712859: Bug#594175: openssh-server: support generation of ssh host keys in init script
Hi, On Wed, Sep 19, 2018 at 11:38:59AM -0400, Simon Deziel wrote: > On 2018-09-19 05:18 AM, Guido Günther wrote: > > Hi, > > On Wed, Jan 10, 2018 at 10:36:51AM +0100, Guido Günther wrote: > >> Hi, > >> On Wed, Jul 13, 2016 at 10:27:11AM +0200, Guido Günther wrote: > >>> On Tue, Aug 24, 2010 at 12:23:52PM +0200, Michael Prokop wrote: > Package: openssh-server > Version: 1:5.5p1-4 > Severity: wishlist > > > I mentioned this issue in my talk "State of Debian (based) Linux > live systems in 2010" at Debconf10. Colin suggested to talk about > it later on, so I'm reporting this as a wishlist item. > > It would be nice if the sshd init script would support generation of > ssh host keys - iff there aren't any keys present yet. > > The (main) use case for this feature are live systems where you > usually don't want to ship pre-generated keys on one hand, on the > other hand not everyone wants to generate the host keys > automatically on each boot (consuming time and ressources). > > Taking care of key generation as someone invokes '/etc/init.d/ssh > start' works fine for the Grml live systems and its users. What > we're doing is something as simple as: > > , [ relevant snipped of Grml's ssh initscript ] > | RSA1_KEY=/etc/ssh/ssh_host_key > | RSA_KEY=/etc/ssh/ssh_host_rsa_key > | DSA_KEY=/etc/ssh/ssh_host_dsa_key > | > | case "$1" in > | start) > | [...] > | if ! test -f $RSA1_KEY ; then > | log_action_msg "Generating SSH1 RSA host key..." > | $KEYGEN -t rsa1 -f $RSA1_KEY -C '' -N '' || exit 1 > | fi > | > | if ! test -f $RSA_KEY ; then > | log_action_msg "Generating SSH RSA host key..." > | $KEYGEN -t rsa -f $RSA_KEY -C '' -N '' || exit 1 > | fi > | > | if ! test -f $DSA_KEY ; then > | log_action_msg "Generating SSH2 DSA host key..." > | $KEYGEN -t dsa -f $DSA_KEY -C '' -N '' || exit 1 > | fi > | [...] > ` > > Would be great if that feature would be available in Debian/Ubuntu > based (live) systems as well. :) > >>> > >>> I wonder if we should just create a openssh-host-keys package that ships > >>> a systemd unit/init script to create the keys (as (I think it was > >>> Christian) suggested at debconf. > >>> > >>> This just came up here as well > >>> > >>> https://www.redhat.com/archives/libguestfs/2016-July/msg00090.html > >>> > >> > >> Michael is grml working around this somehow? If so can you attach a > >> link? > > > > I have moved things into a Debian package now: > > > > https://source.puri.sm/Librem5/gen-sshd-host-keys > > Have you tried "ssh-keygen -A" ? I believe it would be the simplest way > to generated the missing host keys. I want to only generate the ones enabled in sshd_config (similar to what sshd's postinst does). Cheers, -- Guido
Bug#594175: Bug#712859: Bug#594175: openssh-server: support generation of ssh host keys in init script
On 2018-09-19 05:18 AM, Guido Günther wrote: > Hi, > On Wed, Jan 10, 2018 at 10:36:51AM +0100, Guido Günther wrote: >> Hi, >> On Wed, Jul 13, 2016 at 10:27:11AM +0200, Guido Günther wrote: >>> On Tue, Aug 24, 2010 at 12:23:52PM +0200, Michael Prokop wrote: Package: openssh-server Version: 1:5.5p1-4 Severity: wishlist I mentioned this issue in my talk "State of Debian (based) Linux live systems in 2010" at Debconf10. Colin suggested to talk about it later on, so I'm reporting this as a wishlist item. It would be nice if the sshd init script would support generation of ssh host keys - iff there aren't any keys present yet. The (main) use case for this feature are live systems where you usually don't want to ship pre-generated keys on one hand, on the other hand not everyone wants to generate the host keys automatically on each boot (consuming time and ressources). Taking care of key generation as someone invokes '/etc/init.d/ssh start' works fine for the Grml live systems and its users. What we're doing is something as simple as: , [ relevant snipped of Grml's ssh initscript ] | RSA1_KEY=/etc/ssh/ssh_host_key | RSA_KEY=/etc/ssh/ssh_host_rsa_key | DSA_KEY=/etc/ssh/ssh_host_dsa_key | | case "$1" in | start) | [...] | if ! test -f $RSA1_KEY ; then | log_action_msg "Generating SSH1 RSA host key..." | $KEYGEN -t rsa1 -f $RSA1_KEY -C '' -N '' || exit 1 | fi | | if ! test -f $RSA_KEY ; then | log_action_msg "Generating SSH RSA host key..." | $KEYGEN -t rsa -f $RSA_KEY -C '' -N '' || exit 1 | fi | | if ! test -f $DSA_KEY ; then | log_action_msg "Generating SSH2 DSA host key..." | $KEYGEN -t dsa -f $DSA_KEY -C '' -N '' || exit 1 | fi | [...] ` Would be great if that feature would be available in Debian/Ubuntu based (live) systems as well. :) >>> >>> I wonder if we should just create a openssh-host-keys package that ships >>> a systemd unit/init script to create the keys (as (I think it was >>> Christian) suggested at debconf. >>> >>> This just came up here as well >>> >>> https://www.redhat.com/archives/libguestfs/2016-July/msg00090.html >>> >> >> Michael is grml working around this somehow? If so can you attach a >> link? > > I have moved things into a Debian package now: > > https://source.puri.sm/Librem5/gen-sshd-host-keys Have you tried "ssh-keygen -A" ? I believe it would be the simplest way to generated the missing host keys. Regards, Simon
Bug#594175: openssh-server: support generation of ssh host keys in init script
On Tue, Aug 24, 2010 at 12:23:52PM +0200, Michael Prokop wrote: > Package: openssh-server > Version: 1:5.5p1-4 > Severity: wishlist > > > I mentioned this issue in my talk "State of Debian (based) Linux > live systems in 2010" at Debconf10. Colin suggested to talk about > it later on, so I'm reporting this as a wishlist item. > > It would be nice if the sshd init script would support generation of > ssh host keys - iff there aren't any keys present yet. > > The (main) use case for this feature are live systems where you > usually don't want to ship pre-generated keys on one hand, on the > other hand not everyone wants to generate the host keys > automatically on each boot (consuming time and ressources). > > Taking care of key generation as someone invokes '/etc/init.d/ssh > start' works fine for the Grml live systems and its users. What > we're doing is something as simple as: > > , [ relevant snipped of Grml's ssh initscript ] > | RSA1_KEY=/etc/ssh/ssh_host_key > | RSA_KEY=/etc/ssh/ssh_host_rsa_key > | DSA_KEY=/etc/ssh/ssh_host_dsa_key > | > | case "$1" in > | start) > | [...] > | if ! test -f $RSA1_KEY ; then > | log_action_msg "Generating SSH1 RSA host key..." > | $KEYGEN -t rsa1 -f $RSA1_KEY -C '' -N '' || exit 1 > | fi > | > | if ! test -f $RSA_KEY ; then > | log_action_msg "Generating SSH RSA host key..." > | $KEYGEN -t rsa -f $RSA_KEY -C '' -N '' || exit 1 > | fi > | > | if ! test -f $DSA_KEY ; then > | log_action_msg "Generating SSH2 DSA host key..." > | $KEYGEN -t dsa -f $DSA_KEY -C '' -N '' || exit 1 > | fi > | [...] > ` > > Would be great if that feature would be available in Debian/Ubuntu > based (live) systems as well. :) I wonder if we should just create a openssh-host-keys package that ships a systemd unit/init script to create the keys (as (I think it was Christian) suggested at debconf. This just came up here as well https://www.redhat.com/archives/libguestfs/2016-July/msg00090.html Cheers, -- Guido
Bug#594175: openssh-server: support generation of ssh host keys in init script
Package: openssh-server Version: 1:5.5p1-4 Severity: wishlist I mentioned this issue in my talk State of Debian (based) Linux live systems in 2010 at Debconf10. Colin suggested to talk about it later on, so I'm reporting this as a wishlist item. It would be nice if the sshd init script would support generation of ssh host keys - iff there aren't any keys present yet. The (main) use case for this feature are live systems where you usually don't want to ship pre-generated keys on one hand, on the other hand not everyone wants to generate the host keys automatically on each boot (consuming time and ressources). Taking care of key generation as someone invokes '/etc/init.d/ssh start' works fine for the Grml live systems and its users. What we're doing is something as simple as: , [ relevant snipped of Grml's ssh initscript ] | RSA1_KEY=/etc/ssh/ssh_host_key | RSA_KEY=/etc/ssh/ssh_host_rsa_key | DSA_KEY=/etc/ssh/ssh_host_dsa_key | | case $1 in | start) | [...] | if ! test -f $RSA1_KEY ; then | log_action_msg Generating SSH1 RSA host key... | $KEYGEN -t rsa1 -f $RSA1_KEY -C '' -N '' || exit 1 | fi | | if ! test -f $RSA_KEY ; then | log_action_msg Generating SSH RSA host key... | $KEYGEN -t rsa -f $RSA_KEY -C '' -N '' || exit 1 | fi | | if ! test -f $DSA_KEY ; then | log_action_msg Generating SSH2 DSA host key... | $KEYGEN -t dsa -f $DSA_KEY -C '' -N '' || exit 1 | fi | [...] ` Would be great if that feature would be available in Debian/Ubuntu based (live) systems as well. :) regards, -mika- -- To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2010-08-24t12-13...@devnull.michael-prokop.at