ssh host keys generated during container creation are not valid (error: "could not load host key")

[sunnyside]

Hi everyone,

I can't make sshd working after creating a LXC container based on a centos6 template and using proxmox 6.2.

The error I got in the /var/log/messages of the container when I tried to ssh into is:
sshd: error: Could not load host key: /etc/ssh/ssh_host_rsa_key
sshd: error: Could not load host key: /etc/ssh/ssh_host_dsa_key

So it seems that the ssh host key generated during container creation are not valid.

If I use the same template on promox 6.1, everything is ok (same emplate, same ansible playbook for creation).

Can you help ?

I really need sshd working in the container after creation because I use ansible/ssh to create and configure the container.

Many thanks


my proxmox version:
- pve-manager/6.2-4/9824574a (running kernel: 5.4.34-1-pve)

my template:
- based on centos-6-default_20191016_amd64.tar.xz (latest)
- yum update
- yum install openssh-server
- host keys removed

 

[Moayad]

Hi,

May i ask you why CentOS 6 do you need use?

However you need to create a new ssh_host_rsa_key, try this command inside the Container:

ssh-keygen -b 4096 -t rsa -f /etc/ssh/ssh_host_rsa_key

Then reboot the System or restart SSH services should work.

 

[sunnyside]

Thanks for your answer.

The problem I see is that I really need to automate the container creation (in ansible/proxmoxer).
And ansible needs a working sshd to connect to the container...

Do you see a solution I could use to automate your solution ? Maybe "pct exec" ?

And do you think it will be patch later in proxmox 6.2 (I have no idea of the real problem) ?

Another solution could be to downgrade to pve 6.1 but I prefer not too!

And to answer your question, we need to build software on CentOS 6 and we still use it a lot on production (hundreds of ct thanks to proxmox!).

Best regards

 

[Moayad]

Hi,

Do you see a solution I could use to automate your solution ? Maybe "pct exec" ?

Yes, you can execute command on the LXC Container using pct exec - try this command please

pct exec <VMID> -- bash -c 'ssh-keygen -b 4096 -t rsa -f /etc/ssh/ssh_host_rsa_key'

And do you think it will be patch later in proxmox 6.2 (I have no idea of the real problem) ?

first let me check if this from the template.

And to answer your question, we need to build software on CentOS 6 and we still use it a lot on production (hundreds of ct thanks to proxmox!).

Thanks for the clarification, but u can use CentOS 8 as well but i don't know this is your optional

 

[sunnyside]

This is how I finally achieve to bypass the problem in ansible:

First, I added a test to connect to the lxc container to check if sshd was functionnal or not.
This is because the playbook need to be idempotent.
If not, the ssh host keys would have been re-generated everytime we would have run the playbook, which is obviously not what we want!

Then, if the test says that sshd is not functionnal, I regenerated the ssh host keys with this pct command (thanks!):

pct exec {{ lxc_vmid }} -- bash -c 'rm -fv /etc/ssh/ssh_host_* ; /etc/init.d/sshd restart'"

The reason I didn't use ssh-kegen is because it asks for a confirmation before overwriting the existing key.
I think ansible can manage this, but I prefered to script this way because it can generate all type of keys in one command.

Did you check if the problem was coming from the template or from somewhere else ?

Best regards

 

[Moayad]

Hi,

Thanks for sharing your solution but you can do chmod 644 /etc/ssh/ssh_host_rsa_key then service sshd restart as well