Ping a Specific Port

Question

Jaroslav Kucera

Asked: 2022-11-25 10:28:33 +0800 CST2022-11-25 10:28:33 +0800 CST 2022-11-25 10:28:33 +0800 CST

Why the RHEL8 system do not generate SSH host keys automatically when missing?

772

On the RHEL 8 and previous it is usual, that the SSH host keys in /etc/ssh are generated automatically by sshd service when missing. Usually there should be:

/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_ed25519_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub

Restart of the node or even systemctl restart sshd should be sufficient.

But as of the minor version RHEL 8.7 this may not work any more and the sshd crashes complaining about missing host keys in the journal log. Why? How can I solve this?

1 Answers

Voted

Jaroslav Kucera · Answer 1 · 2022-11-25T10:28:33+08:00

The sshd service by default calls sshd-keygen.target, which checks availability of host keys in /etc/ssh directory and generates it when missing.

However this well known functionality can be blocked by the new version of cloud-init. As of cloud-init-22.1-5.el8.noarch there is new file:

/etc/systemd/system/[email protected]/disable-sshd-keygen-if-cloud-init-active.conf

with content:

# In some cloud-init enabled images the sshd-keygen template service may race
# with cloud-init during boot causing issues with host key generation.  This
# drop-in config adds a condition to [email protected] if it exists and
# prevents the sshd-keygen units from running *if* cloud-init is going to run.
#
[Unit]
ConditionPathExists=!/run/systemd/generator.early/multi-user.target.wants/cloud-init.target

So when you use the cloud-init you have 2 options now:

Generate host keys manually with ssh-keygen -A (see How to change a SSH host key? for more details and options.
Comment the condition

Simply put the # sign before ConditionPathExists...

[Unit]
#ConditionPathExists=!/run/systemd/generator.early/multi-user.target.wants/cloud-init.target

Then reload the systemd configuration with systemctl daemon-reload. The usual behavior should be working again.

Why the RHEL8 system do not generate SSH host keys automatically when missing?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?