Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1383641 - ed25519 and ecdsa OpenSSH keys are not pregenerated
Summary: ed25519 and ecdsa OpenSSH keys are not pregenerated
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: lorax
Version: 25
Hardware: s390x
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Brian Lane
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: ZedoraTracker F25s390x
TreeView+ depends on / blocked
 
Reported: 2016-10-11 10:17 UTC by Dan Horák
Modified: 2016-10-26 22:31 UTC (History)
3 users (show)

Fixed In Version: lorax-25.17-1 lorax-25.17-1.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-26 22:31:08 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Dan Horák 2016-10-11 10:17:33 UTC 
When booting the F-25 Beta RC images I see 2 errors regarding OpenSSH key generation


from console
...
         Starting OpenSSH ecdsa Server Key Generation...   
[ [0;1;31mFAILED [0m] Failed to start OpenSSH ed25519 Server Key Generation.   
See 'systemctl status sshd-keygen' for details.   
[ [0;1;31mFAILED [0m] Failed to start OpenSSH ecdsa Server Key Generation.   
See 'systemctl status sshd-keygen' for details.   
[ [0;32m  OK   [0m] Reached target sshd-keygen.target.   

from journalctl
...
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: Starting OpenSSH ed25519 Server Key Generation...
Oct 11 09:47:48 devel3.s390.bos.redhat.com kernel: audit: type=1130 audit(1476179268.003:96): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-up
Oct 11 09:47:48 devel3.s390.bos.redhat.com kernel: audit: type=1130 audit(1476179268.003:97): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm=
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1756]: sshd-keygen: Failed at step EXEC spawning /usr/libexec/openssh/sshd-keygen: No such file or directory
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: Starting System Logging Service...
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: Starting Hold until boot process finishes up...
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: Starting Anaconda NetworkManager configuration...
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: Starting Terminate Plymouth Boot Screen...
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: Starting Service enabling compressing RAM with zRam...
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: Starting pre-anaconda logging service...
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: Starting OpenSSH ecdsa Server Key Generation...
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: sshd-keygen: Main process exited, code=exited, status=203/EXEC
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: Failed to start OpenSSH ed25519 Server Key Generation.
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1764]: sshd-keygen: Failed at step EXEC spawning /usr/libexec/openssh/sshd-keygen: No such file or directory
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: sshd-keygen: Unit entered failed state.
Oct 11 09:47:48 devel3.s390.bos.redhat.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sshd-keygen@ed25519 comm="systemd" ex
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: sshd-keygen: Failed with result 'exit-code'.
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: sshd-keygen: Main process exited, code=exited, status=203/EXEC
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: Failed to start OpenSSH ecdsa Server Key Generation.
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: sshd-keygen: Unit entered failed state.
Oct 11 09:47:48 devel3.s390.bos.redhat.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sshd-keygen@ecdsa comm="systemd" exe=
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: sshd-keygen: Failed with result 'exit-code'.
Oct 11 09:47:48 devel3.s390.bos.redhat.com systemd[1]: Reached target sshd-keygen.target.
...

The solution can be adding the key generation to the postinstall lorax template
(https://github.com/rhinstaller/lorax/blob/master/share/templates.d/99-generic/runtime-postinstall.tmpl#L91), but my question is whether the generation could be omitted from image creation and left for runtime.

Version-Release number of selected component (if applicable):
lorax-25.15-1.fc25
Comment 1 Brian Lane 2016-10-11 21:08:23 UTC 
You certainly don't want to include keygen as part of the image creation process. Then everyone will get the same keys.

Make sure the iso you are using was created using lorax-25.16-1 or later.

*** This bug has been marked as a duplicate of bug 1378378 ***
Comment 2 Dan Horák 2016-10-11 21:35:00 UTC 
(In reply to Brian Lane from comment #1)
> You certainly don't want to include keygen as part of the image creation
> process. Then everyone will get the same keys.

Shouldn't we then remove the whole key-creation section in runtime-postinstall.tmpl for s390(x) mentioned above?
Comment 3 Brian Lane 2016-10-11 21:55:47 UTC 
(In reply to Dan Horák from comment #2)
> (In reply to Brian Lane from comment #1)
> > You certainly don't want to include keygen as part of the image creation
> > process. Then everyone will get the same keys.
> 
> Shouldn't we then remove the whole key-creation section in
> runtime-postinstall.tmpl for s390(x) mentioned above?

I would think so, but since I'm not exactly sure *why* that code is there someone with s390 access will have to give it a try to make sure it doesn't break anything.
Comment 4 Dan Horák 2016-10-12 12:18:53 UTC 
Log from booting a refreshed install.img after updating post-install lorax template

...
         Starting Anaconda NetworkManager configuration...
         Starting Service enabling compressing RAM with zRam...
         Starting Terminate Plymouth Boot Screen...
         Starting pre-anaconda logging service...
         Starting OpenSSH ecdsa Server Key Generation...
[ [0;32m  OK   [0m] Started Hardware RNG Entropy Gatherer Daemon.
         Starting Hold until boot process finishes up...
         Starting OpenSSH ed25519 Server Key Generation...
         Starting OpenSSH rsa Server Key Generation...
         Starting System Logging Service...
         Starting Login Service...
[   33.533897] anaconda[1680]: Starting installer, one moment...
[   33.535137] anaconda[1680]: 12:02:42 Please ssh install@devel3 (a.b.c.d) to begin the install.

Will send a pull request ASAP.
Comment 5 Dan Horák 2016-10-12 13:58:00 UTC 
See https://github.com/rhinstaller/lorax/pull/165 for the dropping of ssh keygen in the image.
Comment 6 Brian Lane 2016-10-12 16:06:16 UTC 
Thanks for testing that!
Comment 7 Fedora Update System 2016-10-19 08:29:26 UTC 
lorax-25.17-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0a0a45fcbe
Comment 8 Fedora Update System 2016-10-26 22:31:08 UTC 
lorax-25.17-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.