Dropbear does not work on fresh installation #83

Id2ndR · 2021-02-11T21:41:48Z

Version used: mkinitcpio-systemd-tool 36-1.

This issue is related to #17 and https://bugs.archlinux.org/task/60523: on fresh install, ssh host_keys are generated before installing dropbear, do mkinitcpio show errors like this:

    convert openssh to dropbear host key: /etc/dropbear/dropbear_ecdsa_host_key
==> ERROR: command failure (1): dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/dropbear_ecdsa_host_key 
Error: Unsupported OpenSSH key type
Error reading key from '/etc/ssh/ssh_host_ecdsa_key'

Then, the initrd-dropbear unit seems to start on reboot, but the ssh port (22) is not binded. In fact, starting dropbear with -E option allows to see that it exit immediatly with return code 1:

[20033] Feb 11 22:12:21 Failed loading /etc/dropbear/dropbear_rsa_host_key
[20033] Feb 11 22:12:21 Failed loading /etc/dropbear/dropbear_ecdsa_host_key
[20033] Feb 11 22:12:21 Failed loading /etc/dropbear/dropbear_ed25519_host_key
[20033] Feb 11 22:12:21 Early exit: No hostkeys available. 'dropbear -R' may be useful or run dropbearkey.

The problem is that using ssh-keygen -A -m PEM command, like explained in the unit, does not help because it does not replace existing keys.

Solutions:

a workaround is to remove the existing keys /etc/ssh/ssh_host_*key* before using the command ssh-keygen -A -m PEM.
a better solution is to convert the existing keys with these commands, providing an empty password when promped:
```
for format in dsa ecdsa ed25519 rsa; do
  ssh-keygen -A -p -m PEM -f /etc/ssh/ssh_host_${format}_key
done
```

Then mkinitcpio shoud be run again.

The text was updated successfully, but these errors were encountered:

random-archer#83 The manpage of ssh-keygen describes option "-A" as "For each of the key types (rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys [...]." But since the host keys in /etc/ssh/ already exists (because they are generated on the first invocation of sshd), nothing will be generated/regenerated/converted. Id2ndR suggested the for-loop method instead.

pierrou-andreas · 2021-08-28T12:27:23Z

The problem is that using ssh-keygen -A -m PEM command, like explained in the unit, does not help because it does not replace existing keys.
* a better solution is to convert the existing keys with these commands, providing an empty password when promped:
  ```
  for format in dsa ecdsa ed25519 rsa; do
    ssh-keygen -A -p -m PEM -f /etc/ssh/ssh_host_${format}_key
  done
  ```
Then mkinitcpio shoud be run again.

Hi! I just want to confirm that the problem of running ssh-keygen -A -m PEM still persists on OpenSSH 8.7p1-1. Isn't the use of option -A in order to convert to PEM-format inherently incorrect as it only creates files that don't already exist?

The manpage of ssh-keygen describes option -A as

For each of the key types (rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys [...].

But since the host keys in /etc/ssh/ already exists (because they are generated on the first invocation of sshd), nothing will be generated/regenerated/converted. Is it OK to change the comment in the initrd-dropbear.service so that new users won't be confused? I made a pull request with the above-suggested for-loop instead of ssh-keygen -A -m PEM since I don't have write access to the project.

This is a fairly silent error that occurs because the output of the dropbearconvert wasn't checked and the return_code was still being set to zero even if dropbearconvert failed. I found the suggestion to convert the existing keys to PEM format in an issue[1] for systemd-tool and I've converted the suggestion to an echo statement during a failure to convert the keys when running mkinitcpio when dropbear hook is enabled. [1] random-archer/mkinitcpio-systemd-tool#83

This commit adds additional output to the following Error message informing the user they need to convert their existing ssh_host key files to PEM format. ``` Error: Unsupported OpenSSH key type Error reading key from '/etc/ssh/ssh_host_rsa_key' Error: Unsupported OpenSSH key type Error reading key from '/etc/ssh/ssh_host_ecdsa_key' ``` I found the suggestion to convert the existing keys to PEM format in an issue[1] for systemd-tool and I've converted the suggestion to an echo statement during a failure to convert the keys when running mkinitcpio when dropbear hook is enabled. Also this change stops swallowing this error. The new behavior is, if dropbear convert was unable to convert any existing `ssh_host` key files then `generate_keys` will be run. This prevents an initramfs being generated without any host keyfiles. This is the same behavior that occurs when NO existing `ssh_host` keyfiles exist. [1] random-archer/mkinitcpio-systemd-tool#83

ghthor · 2021-09-26T20:25:12Z

I believe the for loop version of this fix does not need the -A flag.

Andrei-Pozolotin added the bug label Feb 19, 2021

ghthor mentioned this issue Sep 26, 2021

Add a suggestion to convert keyfiles to PEM format grazzolini/mkinitcpio-dropbear#14

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dropbear does not work on fresh installation #83

Dropbear does not work on fresh installation #83

Id2ndR commented Feb 11, 2021 •

edited

pierrou-andreas commented Aug 28, 2021

ghthor commented Sep 26, 2021

Dropbear does not work on fresh installation #83

Dropbear does not work on fresh installation #83

Comments

Id2ndR commented Feb 11, 2021 • edited

pierrou-andreas commented Aug 28, 2021

ghthor commented Sep 26, 2021

Id2ndR commented Feb 11, 2021 •

edited