LXC Container Creation Failing: DSA SSH Key Generation Error

Banaszi

New Member
Oct 11, 2024
1
1
1
Hello Proxmox community,

I'm running Proxmox 8 on a Mini PC SOYO M2PLUS with the following specs:
- CPU: Intel Celeron N100
- RAM: 16 GB
- Storage: 512 GB

Before getting to my main issue, I should mention that I had to use the guide at https://github.com/dariox64/rtl8169---rtl8168/blob/master/README.md to get my Ethernet working properly on this hardware.

I'm encountering an issue when trying to create an LXC container for Jellyfin. The container creation process fails with the following error:
Code:
Creating SSH host key 'ssh_host_dsa_key' - this may take some time ...
unknown key type dsaLogical volume "vm-110-disk-0" successfully removed.TASK ERROR: unable to create CT 110 - command 'ssh-keygen -f /run/pve/.tmp2131.dsa -t dsa -N '' -E sha256 -C root@jellyfin' failed: exit code 255

It seems the container creation is failing due to an attempt to generate a DSA SSH key, which is no longer supported in newer OpenSSH versions.I've tried locating the LXC template file to modify it, but I can't find the file at the expected location (/usr/share/pve/lxc/templates/lxc-pve).

Has anyone else encountered this issue with LXC container creation on Proxmox 8, especially on newer Mini PCs? Are there any recommended solutions or workarounds to prevent the system from attempting to generate DSA keys during container creation?

Any help or guidance would be greatly appreciated. Thank you!
 
  • Like
Reactions: dmpm
I'm getting the same error when I try to create a LXC from the Ubuntu 24.04 template or the Debian 12 template.

Creating SSH host key 'ssh_host_dsa_key' - this may take some time ...
unknown key type dsa
Logical volume "vm-115-disk-0" successfully removed.
TASK ERROR: unable to create CT 115 - command 'ssh-keygen -f /run/pve/.tmp1002089.dsa -t dsa -N '' -E sha256 -C root@immich' failed: exit code 255
 
Last edited:
It seems that Proxmox is trying to create the dsa key, not the template, so Proxmox will need to be updated to work with the newer version of OpenSSH. In the meantime, all we can do is use the older version of OpenSSH, but I can't work out how to downgrade from my current version which ssh -V shows to be "OpenSSH_9.9p1 Debian-1, OpenSSL 3.3.2 3 Sep 2024" to "OpenSSH_9.2p1 Debian-2+deb12u3, OpenSSL 3.0.14 4 Jun 2024".

I've uninstalled it with 'apt remove ssh' and 'apt purge ssh', and when I do 'apt install ssh' it shows

Preparing to unpack .../ssh_1%3a9.2p1-2+deb12u3_all.deb

Unpacking ssh (1:9.2p1-2+deb12u3)

Setting up ssh (1:9.2p1-2+deb12u3)

but 'ssh -V' still shows "OpenSSH_9.9p1 Debian-1, OpenSSL 3.3.2 3 Sep 2024"

'apt list -a ssh' only shows

ssh/stable,stable-security,now 1:9.2p1-2+deb12u3 all [installed]

and 'apt list -a openssl' shows:

openssl/now 3.3.2-1 amd64 [installed,local]

openssl/stable-security 3.0.14-1~deb12u2 amd64

openssl/stable 3.0.14-1~deb12u1 amd64

Even if I downgrade openssl with 'apt-get install openssl=3.0.14-1~deb12u2'

and confirm this with 'apt list -a openssl'

openssl/stable-security,now 3.0.14-1~deb12u2 amd64 [installed]

openssl/stable 3.0.14-1~deb12u1 amd64

'ssh -V' still shows "OpenSSH_9.9p1 Debian-1, OpenSSL 3.3.2 3 Sep 2024"
 
OK, I realised I should have been trying to downgrade OpenSSH-server, not ssh.

'apt install openssh-server=1:9.2p1-2+deb12u3' returns

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
openssh-server : Depends: openssh-client (= 1:9.2p1-2+deb12u3) but it is not going to be installed
Depends: openssh-sftp-server but it is not going to be installed
Recommends: default-logind or
logind or
libpam-systemd but it is not going to be installed
Recommends: xauth but it is not going to be installed
python3 : PreDepends: python3-minimal (= 3.11.2-1+b1) but it is not going to be installed
Depends: python3.11 (>= 3.11.2-1~) but it is not going to be installed
Depends: libpython3-stdlib (= 3.11.2-1+b1) but it is not going to be installed
E: Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages.

So I tried to downgrade openssh-client with 'apt install openssh-client=1:9.2p1-2+deb12u3' but that returns

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
python3 : PreDepends: python3-minimal (= 3.11.2-1+b1) but it is not going to be installed
Depends: python3.11 (>= 3.11.2-1~) but it is not going to be installed
Depends: libpython3-stdlib (= 3.11.2-1+b1) but it is not going to be installed
E: Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages.

So I checked the versions of those packages.

'apt list -a python3-minimal' shows
python3-minimal/stable,now 3.11.2-1+b1 amd64 [installed]

'apt list -a python3.11' shows

python3.11/stable-security,now 3.11.2-6+deb12u3 amd64 [installed]
python3.11/stable 3.11.2-6+deb12u2 amd64

and 'apt list -a libpython3-stdlib' shows

libpython3-stdlib/stable,now 3.11.2-1+b1 amd64 [installed]

So all the dependencies for openssh-client=1:9.2p1-2+deb12u3 seem to be met, and I don't know why it won't let me downgrade.
 
This suggestion by a user on Reddit fixed it for me https://www.reddit.com/r/Proxmox/comments/1g8d7kn/comment/lu8qb1s/

I did this in a LXC and added the trixie repo so that I could update OpenSSL to match the version on my host, but that may not be necessary if your host is still using the current version. After building openssh, I just copied the ssh* files from /usr/bin to a mounted folder on my host, and from there to /usr/bin/ on my host.
  1. Make sure you have build dependencies:
    apt update && apt install build-essential libssl-dev zlib1g-dev
  2. Download the portable version of OpenSSH you want to build (You can find a list of them here, or use a different version)
    wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.9p1.tar.gz
  3. Uncompress it and move into the directory
    tar -xzf openssh-9.9p1.tar.gz && cd openssh-9.9p1/
  4. Edit configuration to enable DSA key support
    ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-privsep-path=/var/lib/sshd --enable-dsa-keys
  5. Build & install it (This step may take a minute or two)
    make && make install
  6. When it's all done building, try creating a DSA key again to see if it still gives the unknown key type error
    ssh-keygen -t dsa
 
The root cause is the updated openssh correctly no longer supporting DSA host keys. You can trace this back through /usr/share/perl5/PVE/LXC/Setup.pm to /usr/share/perl5/PVE/LXC/Setup/Base.pm in ssh_host_key_types_to_generate and remove the dsa => 'ssh_host_dsa_key' entry there.

Perl:
sub ssh_host_key_types_to_generate {
    my ($self) = @_;

    return {
        rsa => 'ssh_host_rsa_key',
        ecdsa => 'ssh_host_ecdsa_key',
        ed25519 => 'ssh_host_ed25519_key',
    };
}

Then restart the UI

code_language.shell:
systemctl restart pveproxy pvedaemon
 
Last edited:
  • Like
Reactions: Salazarento
The root cause is the updated openssh correctly no longer supporting DSA host keys. You can trace this back through /usr/share/perl5/PVE/LXC/Setup.pm to /usr/share/perl5/PVE/LXC/Setup/Base.pm in ssh_host_key_types_to_generate and remove the dsa => 'ssh_host_dsa_key' entry there.

Perl:
sub ssh_host_key_types_to_generate {
    my ($self) = @_;

    return {
        rsa => 'ssh_host_rsa_key',
        ecdsa => 'ssh_host_ecdsa_key',
        ed25519 => 'ssh_host_ed25519_key',
    };
}

Then restart the UI

code_language.shell:
systemctl restart pveproxy pvedaemon
Thanks for the alternative fix. Hopefully PVE will be updated to be compatible with the latest OpenSSH soon.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!