Join Log in
Score:0
hotzen avatar Server

sshd not providing ecdsa/ed25519 host key algos

it flag
hotzen

we have setup'd a bastion that only responds with the ssh-rsa host key algorithm when querying:

ssh-keyscan bastion.ops.dev.xxx.com

# bastion.ops.dev.xxx.com:22 SSH-2.0-OpenSSH_7.4
# bastion.ops.dev.xxx.com:22 SSH-2.0-OpenSSH_7.4
bastion.ops.dev.xxx.com ssh-rsa AAAAB3Nza...+REOQ8RMWBWH
# bastion.ops.dev.xxx.com:22 SSH-2.0-OpenSSH_7.4
# bastion.ops.dev.xxx.com:22 SSH-2.0-OpenSSH_7.4
# bastion.ops.dev.xxx.com:22 SSH-2.0-OpenSSH_7.4

although the /etc/ssh/sshd_config looks reasonable and contains the following parameters:

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

the keys themselves also look reasonable and have proper permissions.

-rw-r----- 1 root ssh_keys 2602 Mar 15 08:58 ssh_host_ecdsa_key
-rw-r--r-- 1 root root      572 Mar 15 08:58 ssh_host_ecdsa_key.pub
-rw-r----- 1 root ssh_keys  411 Mar 15 08:58 ssh_host_ed25519_key
-rw-r--r-- 1 root root      100 Mar 15 08:58 ssh_host_ed25519_key.pub
-rw-r----- 1 root ssh_keys 1675 Mar 15 08:57 ssh_host_rsa_key
-rw-r--r-- 1 root root      382 Mar 15 08:57 ssh_host_rsa_key.pub

checking the keys

ssh-keygen -y -e -f ssh_host_ecdsa_key

Comment: "3072-bit RSA, converted by root@xxx"
AAAAB3....
---- END SSH2 PUBLIC KEY ----

(is RSA correct for an ECDSA key??)

and

ssh-keygen -y -e -f ssh_host_ed25519_key

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "256-bit ED25519, converted by root@xxx"
AAAAC.../keIIubitK
---- END SSH2 PUBLIC KEY ----

i checked systemctl status sshd which yields errors though:

Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal systemd[1]: Stopping OpenSSH server daemon...
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal sshd[1183]: Received signal 15; terminating.
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal systemd[1]: Stopped OpenSSH server daemon.
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal systemd[1]: Starting OpenSSH server daemon...
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal sshd[5216]: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal sshd[5216]: Server listening on 0.0.0.0 port 22.
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal sshd[5216]: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal sshd[5216]: Server listening on :: port 22.
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal systemd[1]: Started OpenSSH server daemon.
Mar 15 09:56:10 ip-xxx.eu-central-1.compute.internal sshd[5218]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

how can i track those down?

171
1 + 0
ssh
Score:0
hotzen avatar Server
it flag
hotzen

it turned out our private-key files were missing proper newlines, thus were invalid. best way to verify: ssh-keygen -y -f ssh_host_ed25519_key

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.