Empty (zero byte) SSH host keys

Benjamin Drung benjamin.drung at profitbricks.com
Fri Jan 8 05:00:53 AEDT 2016


Am Donnerstag, den 07.01.2016, 10:09 +1100 schrieb Damien Miller:
> On Wed, 6 Jan 2016, Benjamin Drung wrote:
> 
> > Hi,
> > 
> > We create virtual machine image templates by doing automated
> > minimal
> > installations of different Linux distributions (via
> > preseed/kickstarter/autoyast). At the end of the installation, we
> > remove the SSH host keys (rm -f /etc/ssh/ssh*_key*). Fresh SSH host
> > keys will be generated on the first boot of the image instances.
> > This
> > is done by adding a "dpkg-reconfigure openssh-server" call in
> > /etc/rc.local (which calls ssh-keygen) on Debian/Ubuntu and by the
> > init
> > script of sshd on the other distributions.
> > 
> > This leads to working SSH server running on the virtual machines
> > most
> > of the times, but sometimes the SSH connection fails with
> > "connection
> > reset by peer". The investigation of Debian 7 "wheezy" images
> > showed
> > that these faulty machines have empty (zero byte) SSH host key
> > files.
> > These files do not exist before the machines are started, but they
> > do
> > exist before "dpkg-reconfigure openssh-server" is called.
> > 
> > So it seems that some process creates these empty SSH host key
> > files.
> > Can you help to further debugging this strange behavior? Does sshd
> > create SSH host keys?
> 
> No, sshd only reads and never writes host keys.

Thanks for confirming it.

> It's possible that
> either ssh-keygen is failing during writing the keys out or there
> is some bug in the init script that is calling it.

The strange thing is that the empty files appear before ssh-keygen is
called (via our "dpkg-reconfigure openssh-server" call in
/etc/rc.local). I am not aware of any other ssh-keygen calls besides
our one. Who creates these empty SSH host key files?

I also checked the sysvinit script of ssh on Debian 7 "wheezy". It only
checks/creates /var/run/sshd before calling sshd. There is not host key
handling in the init script of ssh.

-- 
Benjamin Drung
System Developer
Debian & Ubuntu Developer

ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin

Email: benjamin.drung at profitbricks.com
URL:  http://www.profitbricks.com

Sitz der Gesellschaft: Berlin.
Registergericht: Amtsgericht Charlottenburg, HRB 125506B.
Geschäftsführer: Andreas Gauger, Achim Weiss.




More information about the openssh-unix-dev mailing list