[Pkg-privacy-maintainers] Bug#928684: Bug#928684: monkeysphere-host import-key broken due to ssh-keygen change

Andrei Morgan asm-debian at fifthhorseman.net
Fri May 10 09:23:57 BST 2019 

On Fri, May 10, 2019 at 07:21:24AM +0000, Andrei Morgan wrote:
> On Wed, May 08, 2019 at 06:17:03PM -0400, Daniel Kahn Gillmor wrote:
> > As a workaround, if you don't care about the existing RSA hostkey on
> > your server, you can just re-generate it with:
> > 
> >      rm -f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub
> >      ssh-keygen -t rsa -N '' -f /etc/ssh/ssh_host_rsa_key
> 
> Thanks for the advice. unfortunately, this does not work:

After discussion with someone else, I figured out how to fix this workaround:

    ssh-keygen -t rsa -N '' -f /etc/ssh/ssh_host_rsa_key -m PEM

This provides me with:

     root at server:~# grep ^----- /etc/ssh/ssh_host_*_key
     /etc/ssh/ssh_host_ecdsa_key:-----BEGIN OPENSSH PRIVATE KEY-----
     /etc/ssh/ssh_host_ecdsa_key:-----END OPENSSH PRIVATE KEY-----
     /etc/ssh/ssh_host_ed25519_key:-----BEGIN OPENSSH PRIVATE KEY-----
     /etc/ssh/ssh_host_ed25519_key:-----END OPENSSH PRIVATE KEY-----
     /etc/ssh/ssh_host_rsa_key:-----BEGIN RSA PRIVATE KEY-----
     /etc/ssh/ssh_host_rsa_key:-----END RSA PRIVATE KEY-----
     root at server:~#

And the `monkeysphere-host import-key` command also worked.

     root at server:~# monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://server.example.com
     ms: host key imported:
     pub   rsa2048 2019-05-10 [CA]
           2E66A858557528DDA4D8E1FCBB8427731FCCD81A
     uid           [ unknown] ssh://server.example.com
     OpenPGP fingerprint: 2E66A858557528DDA4D8E1FCBB8427731FCCD81A
     ssh fingerprint: 2048 SHA256:qNes+pJ9gPZ+l6OS8ZJYc9xZhRdFV/10YaAslEwkXcU . (RSA)
     root at server:~# 

The only thing I don't know is whether this will have any future
implications, but I guess that as servers being upgraded from stretch to
buster will retain the old-style (i.e. PEM) format, there shouldn't be
any big problems.

Cheers,

	-- Andrei

-- 
Andrei Morgan MRCPCH, MSc, PhD (Epidemiology / Neonatology)
https://www.andreimorgan.net/info/contact
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/attachments/20190510/37352834/attachment.sig>

More information about the Pkg-privacy-maintainers mailing list