question

Michael H. Warfield mhw at wittsend.com
Wed Sep 26 10:20:53 EST 2001 

On Tue, Sep 25, 2001 at 04:55:36PM -0700, voltaic wrote:

> according to the openssh mailing list page, this is the spot to
> report/discuss bugs and i have a potential one.  on the other hand, it is
> probably something i am not doing correctly.

> the system is red hat linux 6.2 (yuk) running the openssh rpm i grabbed off
> of the portable openssh site listing, with sshd version OpenSSH_2.9p2 

> i have it installed via rpm and when i go to launch sshd it gives me this
> error:

> Could not load host key: /etc/ssh/ssh_host_key
> Could not load host key: /etc/ssh/ssh_host_rsa_key
> Could not load host key: /etc/ssh/ssh_host_dsa_key
> Disabling protocol version 1. Could not load host key
> Disabling protocol version 2. Could not load host key
> sshd: no hostkeys available -- exiting.

> the "issue" is that those files are there.  peep the listing:

> [root at nbws1 ssh]# pwd
> /etc/ssh
> [root at nbws1 ssh]# ls -al
> total 68
> drwxr-xr-x    2 root     root         4096 Sep 25 16:33 .
> drwxr-xr-x   30 root     root         4096 Sep 25 15:52 ..
> -rw-r--r--    1 root     root        26287 Jun 16 21:51 primes
> -rw-r--r--    1 root     root         1050 Jun 16 21:51 ssh_config
> -rw-------    1 root     root          736 Sep 25 16:08 ssh_host_dsa_key
> -rw-r--r--    1 root     root          600 Sep 25 16:08 ssh_host_dsa_key.pub
> -rw-------    1 root     root          525 Sep 25 16:06 ssh_host_key
> -rw-r--r--    1 root     root          329 Sep 25 16:06 ssh_host_key.pub
> -rw-------    1 root     root          951 Sep 25 16:07 ssh_host_rsa_key
> -rw-r--r--    1 root     root          220 Sep 25 16:07 ssh_host_rsa_key.pub
> -rw-r--r--    1 root     root         1780 Sep 25 16:50 sshd_config
> [root at nbws1 ssh]# 

> all of the host key files were generated as recommended on the openssh
> portable "how to install" web page, which shows this:

> ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
> ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
> ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""

> the only things i did differently are that i inserted passphrases in the
> above ssh-keygen command lines (between the quotes) and that i edited the
> sshd_config file to change PermitRootLogin to no.

	???  I don't think setting passphrases on the host keys is going
to work.  Try it without.  I'll bet that's it.

> ssh client is fine.  sshd finds the keys if i set them world readable but
> (as it should) declines to use them.  so the files are definitely there.

> what is wrong with my setup?  why won't sshd find those keys?

> the only thing i can think is that sshd doesn't want to run as root (i am
> launching it from the cli as root) and then it can't read those files.  in
> this case, what is the user that sshd tries to launch as?  i cannot find the
> user name in any documentation. 

	I'll bet it's the passphrases.  I don't know anyone who has
tried host keys with passphrases and I don't know anything you might
gain, even if you were always going to start sshd manually and enter
all three passphrases at startup.  Anyone who could read the key files
would have broken root on your system and can access kernel memory and/or
trojan the binary and later steal the unencrypted key and/or passphrase.
Even then, it would only be good for spoofing your system for a MITM
attack which would STILL require effort to play games with a box
he had already busted and rooted to the core.  Not worth the effort
for the value that key has.

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

More information about the openssh-unix-dev mailing list