Ubuntu – Error `could not load host key` when trying to recreate SSH host keys

opensshssh

I am trying to recreate the ssh-server host keys.

I have at least two ways to do this:

With dpkg-reconfigure
```
dpkg-reconfigure openssh-server
```
This works fine, but I cannot give the key length then. I want for example 4096 for the RSA key.
Manually with ssh-keygen
```
sudo ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N 'myverylongpasswordhere' -b 4096 -t rsa
```
This recreates me the keys, but after restarting the server, I receive the following error message:
```
could not load host key: /etc/ssh/ssh_host_rsa_key
```
so I checked the sshd_config file whats in there:
```
HostKey /etc/ssh/ssh_host_rsa_key
```
matches perfectly. So, I checked the owner and rights to all my keys
```
-rw------- 1 root root 3326 Mär 24 08:57 ssh_host_rsa_key
```
When I remove all keys and recreate them with dpkg-reconfigure openssh-server, the keys are smaller and having the same file-rights like above.

Question: How can I use dpkg-reconfigure with keylengh 4096 for RSA?

Best Answer

sudo ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N 'myverylongpasswordhere' -b 4096 -t rsa
recreates me the keys. but, after restarting the server, i recieve
could not load host key: /etc/ssh/ssh_host_rsa_key

You create a hostkey with a password. Is there any customization to unlock that hostkey? If not, then I think that is what is to be expected: the script that manages the service starts up, tries to load the hostkey, and fails. As far as I know you shouldn't create hostkeys protected with passwords.

If you are interested in hardening your SSH server then I recommend reading https://stribika.github.io/2015/01/04/secure-secure-shell.html the command used to create the hostkey in that document is:

ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key

But you should read the entire document before making any changes.

Related Solutions

Ubuntu – Invalid SSH key error in juju when using it with MAAS

The solution I came up with is to set a password for the newly-booted nodes, and then manually insert SSH keys into each of them. To set a boot password for the ubuntu user, ensure that the following lines to /var/lib/cobbler/kickstarts/maas.preseed:

d-i    passwd/make-user boolean true
d-i    passwd/user-fullname ubuntu
d-i    passwd/username string ubuntu
d-i    passwd/user-password-crypted password <CRYPTED PASSWORD>

Once this is done, you can ssh ubuntu@ and use the password specified in the crypted password string (easiest way is to use one from an /etc/shadow file you already know) to log in. You can then insert your SSH public keys under ~ubuntu/.ssh/authorized_keys and ~root/.ssh/authorized keys.

Note that this is a workaround- once you ssh-keygen, MaaS should either be pulling the id_rsa.pub from your .ssh directory, or from the MaaS WebUI, where the user can specify a public key in his profile. No matter what I've tried, these keys aren't propagated, so I came up with the workaround.

A further cheat is to just add the .pub key to your MaaS node's .ssh/authorized_keys and then scp it to each of the nodes in the MaaS:

for i in `cobbler system list |grep -v default`; 
    do j=`cobbler system dumpvars --name "${i}" | grep hostname |grep -v duplicate |cut -f 2 -d \:`; 
    scp ~/.ssh/authorized_keys ubuntu@${j}:.ssh/authorized_keys;
done

This leaves you able to just repeatedly accept the SSH certificate errors and type the password in the crypted string to populate your entire MaaS with the SSH public key.

Ubuntu – How is a login via an ssh private/public key associated with a given user

The command:

ssh-copy-id  username@host

As documented in the link above does not work from mac. Therefore, I logged in as root and of course, that is where the key was installed.

The answer seems to be: If You log in as the user, then cat the public key to the ~/.ssh/authorized_keys file.

Best Answer

Related Solutions

Ubuntu – Invalid SSH key error in juju when using it with MAAS

Ubuntu – How is a login via an ssh private/public key associated with a given user

Related Question