Cubic

SSH connection closed by <HOST> error

Bug #1825566 reported by Cubic PPA on 2019-04-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cubic	Fix Released	Critical	Cubic PPA

Bug Description

When trying to ssh to a remote computer whose OS was installed using a Cubic generated ISO, the remote computer does not allow SSH connections.

The user receives the error:
SSH connection closed by TEST error

(Where TEST is the remote computer).

Additionally, running `systemctl status sshd` on the remote computer gives the following...

$ systemctl status sshd
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2019-04-19 14:33:48 EDT; 13min ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 840 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 857 (sshd)
    Tasks: 1 (limit: 4915)
   Memory: 4.2M
   CGroup: /system.slice/ssh.service
           └─857 /usr/sbin/sshd -D

Apr 19 14:33:48 TEST systemd[1]: Starting OpenBSD Secure Shell server...
Apr 19 14:33:48 TEST systemd[1]: Started OpenBSD Secure Shell server.
Apr 19 14:34:13 TEST sshd[2243]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key
Apr 19 14:34:13 TEST sshd[2243]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Apr 19 14:34:13 TEST sshd[2243]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Apr 19 14:34:13 TEST sshd[2243]: fatal: No supported key exchange algorithms [preauth]
Apr 19 14:38:02 TEST sshd[3939]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key
Apr 19 14:38:02 TEST sshd[3939]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Apr 19 14:38:02 TEST sshd[3939]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Apr 19 14:38:02 TEST sshd[3939]: fatal: No supported key exchange algorithms [preauth]

Revision history for this message

Cubic PPA (cubic-wizard) wrote on 2019-04-19:

The solution is to run

$ sudo ssh-keygen -A

on the computer where the OS was installed using a Cubic generate ISO.

Revision history for this message

Cubic PPA (cubic-wizard) wrote on 2019-04-19:

Per the fix for Bug #1824715, Cubic no longr copies the ssh_host keys in /etc/ssh to the customized linux file system. These keys are needed by remote computers to make ssh connections. When openssh-server is installed (in Cubic' chroot environment) using `apt openssh-server` I think new keys are generated, and these new keys should be copied to the customized Linux file system.

Revision history for this message

Cubic PPA (cubic-wizard) wrote on 2019-04-20:

Fixed in release revision 53.
Fixed in trunk revision
Fixed by reverting the change for Bug #1824715.

When openssh-server is installed in the chroot environment, the ssh_host keys that are generated use the name of the machine Cubic is running on.

These new keys get copied to the remastered ISO. This can be a security risk, because every machine that the ISO is installed on, will have the same ssh_host keys.

However, without these keys on the ISO, it is not possible to ssh into a computer running a remastered Live ISO, without first generating the ssh_host keys using `sudo ssh-keygen -A`. Also, it is not possible to ssh into a computer that had the OS installed a remastered Live ISO, without first generating the ssh_host keys using `sudo ssh-keygen -A`.

Both of these situations can be addressed by generating the missing keys (`sudo ssh-keygen -A`). The issue arises when the Live ISO or computer with a new OS installed from a remastered Live ISO does not allow a user to log in or enter a recovery mode. In this case, the only option to fix the uissue would be to ssh into the computer from a remote machine. Unfortunately, SSH will not work. As a result the computer can not be repaired.

In order to overcome this dilemma, Bug #1824715 has been reverted.

To address the security concern, the user should generate new ssh_host keys using `sudo ssh-keygen -A` after installing the OS from a remastered Live ISO on each new machine. If the user is not installing openssh-server, then the user should manually delete the host keys (in /etc/ssh) in Cubic's chroot environment during the customization process.

Changed in cubic:
assignee:	nobody → Cubic PPA (cubic-wizard)
importance:	Undecided → Critical
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.