The mistery of SSH host keys on fai install clients

Torsten Schlabach tschlabach at gmx.net
Thu Jun 21 17:46:52 CEST 2007 

Hi list!

I think I am missing something. I am sure I do. So please enlighten me.

As explained in a previous message, sshd does not start on my install 
client; I therefore cannot login during the install process using SSH. I 
seem to be the only one who has that problem, though.

I think I found the cause. Heres the host keys in my nfsroot on the 
install server:

debian32m:/srv/fai/nfsroot/etc/ssh# ls -l
total 160
-rw-r--r-- 1 root root 132777 2007-03-05 17:38 moduli
-rw-r--r-- 1 root root   1424 2007-03-05 17:38 ssh_config
-rw-r--r-- 1 root root   1874 2007-05-11 10:16 sshd_config
-rw------- 1 root root    668 2007-05-11 10:16 ssh_host_dsa_key
-rw-r--r-- 1 root root    604 2007-05-11 10:16 ssh_host_dsa_key.pub
-rw------- 1 root root   1675 2007-05-11 10:16 ssh_host_rsa_key
-rw-r--r-- 1 root root    396 2007-05-11 10:16 ssh_host_rsa_key.pub

The only problem with that is that this directory gets mounted by the 
install client via NFS. So let's try that from an installed client:

mount myinstallserver.net:/srv/fai/nfsroot /mnt

ls -l /mnt/etc/ssh looks fine:

-rw-r--r-- 1 root root 132777 2007-03-05 17:38 moduli
-rw-r--r-- 1 root root   1424 2007-03-05 17:38 ssh_config
-rw-r--r-- 1 root root   1874 2007-05-11 10:16 sshd_config
-rw------- 1 root root    668 2007-05-11 10:16 ssh_host_dsa_key
-rw-r--r-- 1 root root    604 2007-05-11 10:16 ssh_host_dsa_key.pub
-rw------- 1 root root   1675 2007-05-11 10:16 ssh_host_rsa_key
-rw-r--r-- 1 root root    396 2007-05-11 10:16 ssh_host_rsa_key.pub

*But*:

# cat ssh_host_rsa_key
cat: ssh_host_rsa_key: Input/output error

It is basically impossible for the install client to read the host keys 
via NFS because only root may read them and NFS does some mapping 
prevening this. (I cannot properly phrase this, but the fact that you 
are root on the client does not make you root on NFS server, AFAIK.)

I tried to chmod the host keys to make them world readable, but they 
sshd complains:

syslog.log:Jun 21 15:14:47 box-n-02 sshd[1785]: Server listening on :: 
port 22.
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: @ 
WARNING: UNPROTECTED PRIVATE KEY FILE!
      @
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: Permissions 0644 
for '/etc/ssh/ssh_host_rsa_key' are
too open.
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: It is recommended 
that your private key files are NOT
  accessible by others.
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: This private key 
will be ignored.
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: bad permissions: 
ignore key: /etc/ssh/ssh_host_rsa_ke
y
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: Could not load 
host key: /etc/ssh/ssh_host_rsa_key
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: @ 
WARNING: UNPROTECTED PRIVATE KEY FILE!
      @
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: Permissions 0644 
for '/etc/ssh/ssh_host_dsa_key' are
too open.
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: It is recommended 
that your private key files are NOT
  accessible by others.
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: This private key 
will be ignored.
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: bad permissions: 
ignore key: /etc/ssh/ssh_host_dsa_ke
y
syslog.log:Jun 21 15:15:11 box-n-02 sshd[2138]: error: Could not load 
host key: /etc/ssh/ssh_host_dsa_key
syslog.log:Jun 21 15:15:15 box-n-02 sshd[2166]: error: 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@
syslog.log:Jun 21 15:15:16 box-n-02 sshd[2166]: error: @ 
WARNING: UNPROTECTED PRIVATE KEY FILE!
      @
syslog.log:Jun 21 15:15:16 box-n-02 sshd[2166]: error: 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@
syslog.log:Jun 21 15:15:16 box-n-02 sshd[2166]: error: Permissions 0644 
for '/etc/ssh/ssh_host_rsa_key' are
too open.

So what do you guys do on your systems to overcome this issue?

Regards,
Torsten

More information about the linux-fai mailing list