SSHD needs keygen and restart everytime after reboot

[tohox]

Hi,

I'm not sure what caused this but every time I reboot PiCore 8.0 I now have to regenerate my sshd keys and restart the daemon in order to connect via SSH.

/opt/.filetool.lst contains the following:

Code: [Select]

opt
home
etc/passwd
etc/shadow
etc/group
etc/gshadow
usr/local/etc/ssh/sshd_config
usr/local/etc/ssh/ssh_host_dsa_key
usr/local/etc/ssh/ssh_host_dsa_key.pub
usr/local/etc/ssh/ssh_host_ecdsa_key
usr/local/etc/ssh/ssh_host_ecdsa_key.pub
usr/local/etc/ssh/ssh_host_ed25519_key
usr/local/etc/ssh/ssh_host_ed25519_key.pub
usr/local/etc/ssh/ssh_host_rsa_key
usr/local/etc/ssh/ssh_host_rsa_key.pub
usr/local/lib/python3.5/site-packages/
Even though I do a filetool.sh -b after generating and overwriting the keys I can't reconnect after a reboot...

Any ideas?

Thanks!

[polikuo]

I now have to regenerate my sshd keys and restart the daemon in order to connect via SSH.

You said you need to restart the daemon.
Do you have this line in your /opt/bootlocal.sh ?

Code: [Select]

/usr/local/etc/init.d/openssh start
Or perhaps somehow you didn't backup successfully ?
Do you have to reset your password after a reboot ?

[archieb0ld]

I have to admit I'm running into the same problem. During boot, right after "Executing startup scripts", the system starts generating the keys.

My setup is as follows (it worked on piCore 6):
I have the keys copied to a USB drive and I edit /opt/bootlocal.sh and create all the symlinks before starting the ssh daemon.

Now, to solve the issue, I have tried moving the symlink creation to bootsync.sh, thinking that it could help, but the keys were still being generated, regardless of the fact that the files were created before starting openssh.tcz (I removed openssh.tcz from onboot.lst to check if the keys were copied over to /usr/local/etc/ssh/, and they were)
As the last option, I used "filetool.sh -b" option, but the restoration process takes place after the extensions are loaded, so that doesn't help much, as the boot process is seriously slowed down.

I took a quick look at tce.installed script for openssh, but couldn't find any errors.

As a side note: I didn't use the openssh.tcz that is bundled with the RPi image. I manually installed it with tce-load -wi instead. Maybe the problem is there...

[bmarkus]

My setup is as follows (it worked on piCore 6):

Try piCore-8.0 After first run, make a backup typing in terminal

Code: [Select]

filetool.sh -b
Reboot

[archieb0ld]

I was trying this on 8.0, my whole story is about 8.0 not working. In 6.0, everything worked out of the box, just by modifying bootlocal.sh

[Paul_123]

Everything works out of the box, I probably have 10 pi's running piCore 8.  They all backup and restore keys appropriately.   Why are you trying to install keys from a usb stick?    If you are trying to do things non-standard, then you need to manually do things.

You will need to install your keys in bootlocal. then load openssh.tcz with tce-load -i openssh.tcz.

Just make sure that you are installing all key types.  If a keytype is missing then it will be automatically generated.

[archieb0ld]

I have tried doing things the "standard" way (backing up using filetool.sh ), but as I mentioned, it doesn't work either.
In piCore 6 both ways worked. It seems to me that in version 6 the keys were checked during the start of the openssh daemon, however, in version 8 they are checked during openssh.tcz loading. In any case, even if backed up, openssh doesn't see the keys, because it starts before the keys are restored from backup

[gavinmc42]

Very weird.

You tried using standard piCore8 and not touching anything except filetool.sh -b ?
It just works for me, using openssh every day on lots of Pi's.

Why use USB key?
Did you add a wait time in cmdline.txt for the USB to come up?

[Paul_123]

Bela,

I did some looking into this.   I'm tending to agree that keys get generated during every boot.  They are just overwritten by the restore of mydata.

During boot, extensions are loaded first, and after that is complete then mydata is restored.   Since /usr/local/tce.installed/openssh gets executed immediately after the extensions are mounted, it has to start generating keys before the restore of mydata occurs.   mydata then gets restored overwriting any keys that were generated.

You can for sure see this happen if you enable showapps on the command line. 

[bmarkus]

openssh.tcz updated, key generation moved from tce.installed to /etc/profile.d where it is executed after backup restored. Please try.

[Paul_123]

Not that anyone would run remotely this way, but if you have the command line option "pause" set, that prevents the profile.d script from running.

Also, when you distribute the image, you do not distribute keys with the image.  Keys will get generated on first boot, however bootlocal.sh has already tried to start the openssh daemon and failed, since there were no keys present.  So there will be no way to login remotely to backup the keys and reboot.

[bmarkus]

@Paul_123

You are right

[Paul_123]

Why not just check as a part of the init.d script and generate if needed?

[bmarkus]

Why not just check as a part of the init.d script and generate if needed?

Yes, I will do that.

[archieb0ld]

openssh.tcz updated, key generation moved from tce.installed to /etc/profile.d where it is executed after backup restored. Please try.

Thanks for updating openssh.tcz
If "pause" bootcode is used, the error message is displayed: /usr/local/etc/ssh/sshd_config: No such file or directory
Otherwise, everything works and the keys are generated just once, indeed