The Avila project

Xenial image for frieza does not have SSH configured correctly

Bug #1650677 reported by Larry Price on 2016-12-16

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical System Image	New	Undecided	Alex T Newman
	The Avila project	New	Undecided	Alfonso Sanchez-Beato

Bug Description

After installing the xenial-arm64 image on frieza, it's not possible to use `phablet-shell` to connect to the device. After some digging, I found that openssh is installed on the device but there are no host certs in `/etc/ssh/`. I fixed this locally by creating a cert with `ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key`, but this key should probably be available out of the box.

frieza
arm64
Ubuntu 16.04 r101

Revision history for this message

Pat McGowan (pat-mcgowan) wrote on 2016-12-19:

@john got anyone to look at this?

Changed in canonical-devices-system-image:
assignee:	nobody → John McAleely (john.mcaleely)

Alex T Newman (alextnewman) on 2017-01-05

Changed in canonical-devices-system-image:
assignee:	John McAleely (john.mcaleely) → Alex T Newman (alextnewman)

Revision history for this message

Oliver Grawert (ogra) wrote on 2017-01-05:

the certs used to be created by the sysv-init/upstart script in the past on first start of sshd ... perhaps that changed with the switch to systemd so you would need a separate script

Alex T Newman (alextnewman) on 2017-01-05

Changed in avila:
assignee:	nobody → Alfonso Sanchez-Beato (alfonsosanchezbeato)

Revision history for this message

Colin Watson (cjwatson) wrote on 2017-01-05:

None of my sysv/upstart jobs ever created host keys at boot time; I have specifically nacked that multiple times because the time you exactly shouldn't generate host keys is at boot when the system is low on entropy (there is academic research about how that particular idea leads to weak keys in the wild). Anything which you observed doing that in the past was outside of the openssh package, and either without my knowledge or over my objections.

Host keys should normally be created at installation time (e.g. when the image is installed on the device, if this is an image-based upgrade) instead, or at least at some point when sufficient entropy is likely to be available.

Revision history for this message

Colin Watson (cjwatson) wrote on 2017-01-05:

https://factorable.net/weakkeys12.conference.pdf is the research I'm thinking of.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.