question

Jim Knoble jmknoble at pobox.com
Wed Sep 26 10:34:59 EST 2001 

Circa 2001-Sep-25 16:55:36 -0700 dixit voltaic:

: according to the openssh mailing list page, this is the spot to
: report/discuss bugs and i have a potential one.  on the other hand,
: it is probably something i am not doing correctly.

Correct.  See below.

: the system is red hat linux 6.2 (yuk) running the openssh rpm i
: grabbed off of the portable openssh site listing, with sshd version
: OpenSSH_2.9p2
: 
: i have it installed via rpm and when i go to launch sshd it gives me
: this error:
: 
: Could not load host key: /etc/ssh/ssh_host_key
: Could not load host key: /etc/ssh/ssh_host_rsa_key
: Could not load host key: /etc/ssh/ssh_host_dsa_key
: Disabling protocol version 1. Could not load host key
: Disabling protocol version 2. Could not load host key
: sshd: no hostkeys available -- exiting.
: 
: the "issue" is that those files are there.  peep the listing:

  [...]

: all of the host key files were generated as recommended on the openssh
: portable "how to install" web page, which shows this:
: 
: ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
: ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
: ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
: 
: the only things i did differently are that i inserted passphrases in the
: above ssh-keygen command lines (between the quotes)

Don't do that.  Host keys may not have passphrases.  Sshd can't load
them if they do (as you've found).  You should use passphrases with
your per-user keys, but not with host keys.

Note that /etc/rc.d/initd/sshd generates the host keypairs
automagically when sshd first starts, if the keys don't exist.  You can
simply remove the passphrased host keys, then start sshd:

  su
  rm /etc/ssh/ssh*_key*
  /etc/rc.d/init.d/sshd start

The initscript generates new host keypairs, then starts sshd.

: and that i edited the sshd_config file to change PermitRootLogin to
: no.
: 
: ssh client is fine.  sshd finds the keys if i set them world
: readable but (as it should) declines to use them.  so the files are
: definitely there.
: 
: what is wrong with my setup?  why won't sshd find those keys?

[Answer above.]

: the only thing i can think is that sshd doesn't want to run as root
: (i am launching it from the cli as root) and then it can't read
: those files.  in this case, what is the user that sshd tries to
: launch as?  i cannot find the user name in any documentation.

Sshd must start as root, for two main reasons:

  (1) By default, it listens on a privileged port (portnumber 22).
      (While you can tell sshd to listen on a non-privileged, port, it
      still must run as root for reason [2] below).

  (2) In order to run as the user who logs in (or runs a command) via
      ssh, sshd uses seteuid(), setuid(), and other system calls which
      require privilege.

-- 
jim knoble | jmknoble at pobox.com   | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 262 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010925/0c778bc7/attachment.bin

More information about the openssh-unix-dev mailing list