mkinitcpio-systemd-tool icon indicating copy to clipboard operation
mkinitcpio-systemd-tool copied to clipboard

Published 20 hours ago verified publisher icon random-archer

Dropbear does not work on fresh installation

Open Id2ndR opened this issue 4 years ago • 2 comments

Version used: mkinitcpio-systemd-tool 36-1.

This issue is related to https://github.com/random-archer/mkinitcpio-systemd-tool/issues/17 and https://bugs.archlinux.org/task/60523: on fresh install, ssh host_keys are generated before installing dropbear, do mkinitcpio show errors like this:

    convert openssh to dropbear host key: /etc/dropbear/dropbear_ecdsa_host_key
==> ERROR: command failure (1): dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/dropbear_ecdsa_host_key 
Error: Unsupported OpenSSH key type
Error reading key from '/etc/ssh/ssh_host_ecdsa_key'

Then, the initrd-dropbear unit seems to start on reboot, but the ssh port (22) is not binded. In fact, starting dropbear with -E option allows to see that it exit immediatly with return code 1:

[20033] Feb 11 22:12:21 Failed loading /etc/dropbear/dropbear_rsa_host_key
[20033] Feb 11 22:12:21 Failed loading /etc/dropbear/dropbear_ecdsa_host_key
[20033] Feb 11 22:12:21 Failed loading /etc/dropbear/dropbear_ed25519_host_key
[20033] Feb 11 22:12:21 Early exit: No hostkeys available. 'dropbear -R' may be useful or run dropbearkey.

The problem is that using ssh-keygen -A -m PEM command, like explained in the unit, does not help because it does not replace existing keys.

Solutions:

  • a workaround is to remove the existing keys /etc/ssh/ssh_host_*key* before using the command ssh-keygen -A -m PEM.
  • a better solution is to convert the existing keys with these commands, providing an empty password when promped: 
    for format in dsa ecdsa ed25519 rsa; do
  ssh-keygen -A -p -m PEM -f /etc/ssh/ssh_host_${format}_key
done

Then mkinitcpio shoud be run again.

Id2ndR avatar Feb 11 '21 21:02 Id2ndR

The problem is that using ssh-keygen -A -m PEM command, like explained in the unit, does not help because it does not replace existing keys.

* a better solution is to convert the existing keys with these commands, providing an empty password when promped:
  ```
  for format in dsa ecdsa ed25519 rsa; do
    ssh-keygen -A -p -m PEM -f /etc/ssh/ssh_host_${format}_key
  done
  ```

Then mkinitcpio shoud be run again.

Hi! I just want to confirm that the problem of running ssh-keygen -A -m PEM still persists on OpenSSH 8.7p1-1. Isn't the use of option -A in order to convert to PEM-format inherently incorrect as it only creates files that don't already exist?

The manpage of ssh-keygen describes option -A as

For each of the key types (rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys [...].

But since the host keys in /etc/ssh/ already exists (because they are generated on the first invocation of sshd), nothing will be generated/regenerated/converted. Is it OK to change the comment in the initrd-dropbear.service so that new users won't be confused? I made a pull request with the above-suggested for-loop instead of ssh-keygen -A -m PEM since I don't have write access to the project.

pierrou-andreas avatar Aug 28 '21 12:08 pierrou-andreas

I believe the for loop version of this fix does not need the -A flag.

ghthor avatar Sep 26 '21 20:09 ghthor