Ssh – Changing the output directory when recreating SSH host keys with ssh-keygen (the -f switch doesn’t prevent ssh-keygen from writing to /etc/ssh/)

key-authenticationssh

I've been trying to start an additional sshd process on a remote machine. I've created a working directory with the new sshd config file I'd like to use.

When I try to run sshd using the config file in this directory, it complains it can't find any host keys. I've tried to create missing host keys by running ssh-keygen -A with the -f switch to specify the location of my working directory but ssh-keygen continues trying to place the keys in /etc/ssh/ instead of the directory I specified. I don't have access to /etc/ssh, so it fails.

How can I generate these keys without access to this path?

Best Answer

The -A option tells ssh-keygen to generate host keys. According to the manual page, the intended use of ssh-keygen is

Normally each user wishing to use SSH with public key authentication runs
this once to create the authentication key in ~/.ssh/identity,
~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the system administrator may use this to generate host keys.

The synopsis lists the -A on a line by itself, with no other options:

SYNOPSIS
     ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
                [-f output_keyfile]
     ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
     ssh-keygen -i [-m key_format] [-f input_keyfile]
     ssh-keygen -e [-m key_format] [-f input_keyfile]
     ssh-keygen -y [-f input_keyfile]
     ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
     ssh-keygen -l [-f input_keyfile]
     ssh-keygen -B [-f input_keyfile]
     ssh-keygen -D pkcs11
     ssh-keygen -F hostname [-f known_hosts_file] [-l]
     ssh-keygen -H [-f known_hosts_file]
     ssh-keygen -R hostname [-f known_hosts_file]
     ssh-keygen -r hostname [-f input_keyfile] [-g]
     ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
     ssh-keygen -T output_file -f input_file [-v] [-a num_trials] [-K checkpt]
                [-W generator]
     ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]
                [-O option] [-V validity_interval] [-z serial_number] file ...
     ssh-keygen -L [-f input_keyfile]
     ssh-keygen -A

So (aside from modifying the source and compiling it yourself), what you are asking is not its intended use.

The key is not loaded

For most issues, this means that your ssh-agent doesn't have any ssh keys loaded that are accepted for your account on the target server. In this case, as noted by @Networker's answer to this question, the solution is rather simple: add the key:

ssh-add

If the key is in a non-default location, you'll need to tell that to ssh-add:

ssh-add /path/to/key

The agent cannot understand the key

This was GNOME bug 754028, resolved in Seahorse 3.29.90 (stable 3.30 released 2018-09-03, included in Ubuntu 18.10, Fedora 29, and probably Red Hat/CentOS 9). Seahorse before 3.29.90 (and therefore GNOME Keyring) could neither create nor add new key types like ed25519 and keys generated with ssh-keygen -o -a 100 (as suggested by the Secure Secure Shell tutorial).

Diagnosis of this problem:

ssh myserver fails with "ssh Agent admitted failure"
SSH_AUTH_SOCK= ssh myserver works just fine
Conclusion: gnome-keyring can't deal with complex keys

As I just found a viable workaround for this bug, and it doesn't seem to be published anywhere (except the comment I just added to an Ubuntu bug), I'll put it here.

Workaround: Launch a new ssh-agent using the same socket as the one from gnome-keyring:

ssh-agent -a $SSH_AUTH_SOCK

This launches a new instance of ssh-agent (overwriting GNOME's less capable instance), so it won't have any keys in it (despite what seahorse says, since that's tied to the old agent). You'll have to add them via ssh-add as noted in the The key is not loaded section above.

You'll have to run this every time you log in (or manually add it to your startup scripts). If you want to preserve the old socket, run mv $SSH_AUTH_SOCK $SSH_AUTH_SOCK.broken first.

Ssh – Can’t connect to another user than root through SSH

.ssh and everything under it should be owned by the user (in this case 'storm') and only the user should have permission. chown -R storm ~storm/.ssh; chmod 700 ~storm/.ssh;chmod 600 ~storm/.ssh/authorized_keys should do the trick.

If you have control over who's able to log into the console, you can get away without the Match block and the AllowUsers directive by simply disabling passwords and allowing root login only with a key:

PasswordAuthentication no
PermitRootLogin without-password

Be sure to test this while you have access to the console . . . just in case.

Best Answer

Related Solutions

SSH Login doesn’t work using a key Without Password

The key is not loaded

The agent cannot understand the key

Ssh – Can’t connect to another user than root through SSH

Related Question