ssh-keygen problem

[Mark_79]

Hello.

After upgrade opessh package in debian i got error "TASK ERROR: command 'ssh-keygen -f /tmp/25530.ssh_host_rsa_key -t rsa -N '' -E sha256 -C root@105' failed: exit code 1" when trying to create container.

Here is log

  Using default stripesize 64.00 KiB.
  For thin pool auto extension activation/thin_pool_autoextend_threshold should be below 100.
  Logical volume "vm-105-disk-1" created.
  WARNING: Sum of all thin volume sizes (653.00 GiB) exceeds the size of thin pool pve/data and the size of whole volume

group (446.88 GiB)!
mke2fs 1.43.4 (31-Jan-2017)
Discarding device blocks:    4096/2097152               done                           
Creating filesystem with 2097152 4k blocks and 524288 inodes
Filesystem UUID: 21ed8546-53f3-40a7-abe4-d0185fea6e4a
Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Allocating group tables:  0/64     done                           
Writing inode tables:  0/64     done                           
Creating journal (16384 blocks): done
Multiple mount protection is enabled with update interval 5 seconds.
Writing superblocks and filesystem accounting information:  0/64     done

extracting archive '/var/lib/vz/template/cache/centos-7-default_20170504_amd64_new.tar.gz'
Total bytes read: 495943680 (473MiB, 134MiB/s)
Detected container architecture: amd64
Creating SSH host key 'ssh_host_rsa_key' - this may take some time ...
unknown option -- E

usage: ssh-keygen [options]
Options:
  -A          Generate non-existent host keys for all key types.
  -a number   Number of KDF rounds for new key format or moduli primality tests.
  -B          Show bubblebabble digest of key file.
  -b bits     Number of bits in the key to create.
  -C comment  Provide new comment.
  -c          Change comment in private and public key files.
  -D pkcs11   Download public key from pkcs11 token.
  -e          Export OpenSSH to foreign format key file.
  -F hostname Find hostname in known hosts file.
  -f filename Filename of the key file.
  -G file     Generate candidates for DH-GEX moduli.
  -g          Use generic DNS resource record format.
  -H          Hash names in known_hosts file.
  -h          Generate host certificate instead of a user certificate.
  -I key_id   Key identifier to include in certificate.
  -i          Import foreign format to OpenSSH key file.
  -J number   Screen this number of moduli lines.
  -j number   Start screening moduli at specified line.
  -K checkpt  Write checkpoints to this file.
  -k          Generate a KRL file.
  -L          Print the contents of a certificate.
  -l          Show fingerprint of key file.
  -M memory   Amount of memory (MB) to use for generating DH-GEX moduli.
  -m key_fmt  Conversion format for -e/-i (PEM|PKCS8|RFC4716).
  -N phrase   Provide new passphrase.
  -n name,... User/host principal names to include in certificate
  -O option   Specify a certificate option.
  -o          Enforce new private key format.
  -P phrase   Provide old passphrase.
  -p          Change passphrase of private key file.
  -Q          Test whether key(s) are revoked in KRL.
  -q          Quiet.
  -R hostname Remove host from known_hosts file.
  -r hostname Print DNS resource record.
  -S start    Start point (hex) for generating DH-GEX moduli.
  -s ca_key   Certify keys with CA key.
  -T file     Screen candidates for DH-GEX moduli.
  -t type     Specify type of key to create.
  -u          Update KRL rather than creating a new one.
  -V from:to  Specify certificate validity interval.
  -v          Verbose.
  -W gen      Generator to use for generating DH-GEX moduli.
  -y          Read private key file and print public key.
  -Z cipher   Specify a cipher for new private key format.
  -z serial   Specify a serial number.
  Logical volume "vm-105-disk-1" successfully removed
TASK ERROR: command 'ssh-keygen -f /tmp/25530.ssh_host_rsa_key -t rsa -N '' -E sha256 -C root@105' failed: exit code 1

I try to downgrade ssh package but no luck.

 

[Mark_79]

Problem solved.

Need to change file /usr/share/perl5/PVE/LXC/Setup.pm.
On string 264 need to delete entry " '-E', 'sha256' "

P.S. Backup file Setup.pm before editing.

 

[Stoiko Ivanov]

which version of openssh do you have on your host? ('dpkg -l |grep openssh')

 

[Mark_79]

Hello.

Latest

ii  openssh-client                       1:7.4p1-10+deb9u3              amd64        secure shell (SSH) client, for secure access to remote machines
ii  openssh-server                       1:7.4p1-10+deb9u3              amd64        secure shell (SSH) server, for secure access from remote machines
ii  openssh-sftp-server                  1:7.4p1-10+deb9u3              amd64        secure shell (SSH) sftp server module, for SFTP access from remote machines

 

[Mark_79]

proxmox-ve: 5.2-2 (running kernel: 4.15.17-3-pve)
pve-manager: 5.2-5 (running version: 5.2-5/eb24855a)
pve-kernel-4.15: 5.2-3
pve-kernel-4.15.17-3-pve: 4.15.17-14
pve-kernel-4.15.15-1-pve: 4.15.15-6
pve-kernel-4.10.17-2-pve: 4.10.17-20
corosync: 2.4.2-pve5
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-35
libpve-guest-common-perl: 2.0-17
libpve-http-server-perl: 2.0-9
libpve-storage-perl: 5.0-23
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.0-3
lxcfs: 3.0.0-1
novnc-pve: 1.0.0-1
proxmox-widget-toolkit: 1.0-19
pve-cluster: 5.0-27
pve-container: 2.0-24
pve-docs: 5.2-4
pve-firewall: 3.0-12
pve-firmware: 2.0-4
pve-ha-manager: 2.0-5
pve-i18n: 1.0-6
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.1-5
pve-xtermjs: 1.0-5
qemu-server: 5.0-29
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.9-pve1~bpo9

 

[Stoiko Ivanov]

hmm - cannot reproduce this, however I noticed that the current centos 7 container template has a newer timestamp (centos-7-default_20171212_amd64.tar.xz vs. centos-7-default_20170504_amd64_new.tar.gz ).

could you download the newer template and try with that?

 

[Mark_79]

Hello.
I only enable ssh by default in this template. This error was on centos and debian templates.

I download new template, same result.
Here is log:

  Using default stripesize 64.00 KiB.
  For thin pool auto extension activation/thin_pool_autoextend_threshold should be below 100.
  Logical volume "vm-105-disk-1" created.
  WARNING: Sum of all thin volume sizes (733.00 GiB) exceeds the size of thin pool pve/data and the size of whole volume group (446.88 GiB)!
mke2fs 1.43.4 (31-Jan-2017)
Discarding device blocks:    4096/2097152               done                           
Creating filesystem with 2097152 4k blocks and 524288 inodes
Filesystem UUID: 42340252-ff8c-4726-8d85-189d01dc9c53
Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Allocating group tables:  0/64     done                           
Writing inode tables:  0/64     done                           
Creating journal (16384 blocks): done
Multiple mount protection is enabled with update interval 5 seconds.
Writing superblocks and filesystem accounting information:  0/64     done

extracting archive '/var/lib/vz/template/cache/centos-7-default_20171212_amd64.tar.xz'
Total bytes read: 402657280 (385MiB, 76MiB/s)
Detected container architecture: amd64
Creating SSH host key 'ssh_host_rsa_key' - this may take some time ...
unknown option -- E

usage: ssh-keygen [options]
Options:
  -A          Generate non-existent host keys for all key types.
  -a number   Number of KDF rounds for new key format or moduli primality tests.
  -B          Show bubblebabble digest of key file.
  -b bits     Number of bits in the key to create.
  -C comment  Provide new comment.
  -c          Change comment in private and public key files.
  -D pkcs11   Download public key from pkcs11 token.
  -e          Export OpenSSH to foreign format key file.
  -F hostname Find hostname in known hosts file.
  -f filename Filename of the key file.
  -G file     Generate candidates for DH-GEX moduli.
  -g          Use generic DNS resource record format.
  -H          Hash names in known_hosts file.
  -h          Generate host certificate instead of a user certificate.
  -I key_id   Key identifier to include in certificate.
  -i          Import foreign format to OpenSSH key file.
  -J number   Screen this number of moduli lines.
  -j number   Start screening moduli at specified line.
  -K checkpt  Write checkpoints to this file.
  -k          Generate a KRL file.
  -L          Print the contents of a certificate.
  -l          Show fingerprint of key file.
  -M memory   Amount of memory (MB) to use for generating DH-GEX moduli.
  -m key_fmt  Conversion format for -e/-i (PEM|PKCS8|RFC4716).
  -N phrase   Provide new passphrase.
  -n name,... User/host principal names to include in certificate
  -O option   Specify a certificate option.
  -o          Enforce new private key format.
  -P phrase   Provide old passphrase.
  -p          Change passphrase of private key file.
  -Q          Test whether key(s) are revoked in KRL.
  -q          Quiet.
  -R hostname Remove host from known_hosts file.
  -r hostname Print DNS resource record.
  -S start    Start point (hex) for generating DH-GEX moduli.
  -s ca_key   Certify keys with CA key.
  -T file     Screen candidates for DH-GEX moduli.
  -t type     Specify type of key to create.
  -u          Update KRL rather than creating a new one.
  -V from:to  Specify certificate validity interval.
  -v          Verbose.
  -W gen      Generator to use for generating DH-GEX moduli.
  -y          Read private key file and print public key.
  -Z cipher   Specify a cipher for new private key format.
  -z serial   Specify a serial number.
  Logical volume "vm-105-disk-1" successfully removed
TASK ERROR: command 'ssh-keygen -f /tmp/2250.ssh_host_rsa_key -t rsa -N '' -E sha256 -C root@105' failed: exit code 1

I think problem in new version of openssh package, because they deleted -E option.

 

[Stoiko Ivanov]

That's really odd, the ssh-keygen command gets called on the PVE host.
what's the output if you type in our shell:

ssh-keygen --help
type ssh-keygen
which ssh-keygen

 

[Mark_79]

root@OKUS-16:~# ssh-keygen --help
unknown option -- -
usage: ssh-keygen [options]
Options:
  -A          Generate non-existent host keys for all key types.
  -a number   Number of KDF rounds for new key format or moduli primality tests.
  -B          Show bubblebabble digest of key file.
  -b bits     Number of bits in the key to create.
  -C comment  Provide new comment.
  -c          Change comment in private and public key files.
  -D pkcs11   Download public key from pkcs11 token.
  -e          Export OpenSSH to foreign format key file.
  -F hostname Find hostname in known hosts file.
  -f filename Filename of the key file.
  -G file     Generate candidates for DH-GEX moduli.
  -g          Use generic DNS resource record format.
  -H          Hash names in known_hosts file.
  -h          Generate host certificate instead of a user certificate.
  -I key_id   Key identifier to include in certificate.
  -i          Import foreign format to OpenSSH key file.
  -J number   Screen this number of moduli lines.
  -j number   Start screening moduli at specified line.
  -K checkpt  Write checkpoints to this file.
  -k          Generate a KRL file.
  -L          Print the contents of a certificate.
  -l          Show fingerprint of key file.
  -M memory   Amount of memory (MB) to use for generating DH-GEX moduli.
  -m key_fmt  Conversion format for -e/-i (PEM|PKCS8|RFC4716).
  -N phrase   Provide new passphrase.
  -n name,... User/host principal names to include in certificate
  -O option   Specify a certificate option.
  -o          Enforce new private key format.
  -P phrase   Provide old passphrase.
  -p          Change passphrase of private key file.
  -Q          Test whether key(s) are revoked in KRL.
  -q          Quiet.
  -R hostname Remove host from known_hosts file.
  -r hostname Print DNS resource record.
  -S start    Start point (hex) for generating DH-GEX moduli.
  -s ca_key   Certify keys with CA key.
  -T file     Screen candidates for DH-GEX moduli.
  -t type     Specify type of key to create.
  -u          Update KRL rather than creating a new one.
  -V from:to  Specify certificate validity interval.
  -v          Verbose.
  -W gen      Generator to use for generating DH-GEX moduli.
  -y          Read private key file and print public key.
  -Z cipher   Specify a cipher for new private key format.
  -z serial   Specify a serial number.
root@OKUS-16:~# type ssh-keygen
ssh-keygen is hashed (/usr/bin/ssh-keygen)
root@OKUS-16:~# which ssh-keygen
/usr/bin/ssh-keygen
root@OKUS-16:~#

 

[Stoiko Ivanov]

Do you run the commands on your PVE host? (I cannot reproduce the output)

whats the output of

dpkg -S /usr/bin/ssh-keygen

 

[Mark_79]

Hello.
Yes, all command i run on PVE host (not vps).

root@OKUS-16:~# dpkg -S /usr/bin/ssh-keygen
openssh-client: /usr/bin/ssh-keygen

Ugrade your PVE host to latest debian packages (or any other Debian OS)
apt-get update
apt-get dist-upgrade

then run
ssh-keygen -E sha256

 

[Stoiko Ivanov]

for me the -E sha256 works on all versions of ssh-keygen from jessie onwards (I created a wheezy container - and there it didn't work).

Do the checksums match?:

# dpkg -l |grep openssh-client
ii  openssh-client                       1:7.4p1-10+deb9u3                       amd64        secure shell (SSH) client, for secure access to remote machines

# debsums openssh-client |grep keygen
/usr/bin/ssh-keygen                                                           OK
/usr/share/man/man1/ssh-keygen.1.gz                                           OK

# grep ssh-keygen /var/lib/dpkg/info/openssh-client.md5sums
7a4d785c127229ebb29cb20ef9c384f1  usr/bin/ssh-keygen
08be768c93f8ab007c3f9b81291c97b3  usr/share/man/man1/ssh-keygen.1.gz

# md5sum /usr/bin/ssh-keygen
7a4d785c127229ebb29cb20ef9c384f1  /usr/bin/ssh-keygen

# sha256sum /usr/bin/ssh-keygen
056617928887222e54bf38684dd6e16c6baa4235db13bdff67bedbbe4092cc6f  /usr/bin/ssh-keygen

# ssh-keygen -E -f /tmp/testkey
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /tmp/testkey.
Your public key has been saved in /tmp/testkey.pub.
The key fingerprint is:
SHA256:b6jUXQAXHTUhTghNmWzjZo8qkmlHqoO9aUzwte7QIXQ siv@rosa
The key's randomart image is:
+---[RSA 2048]----+
|        o=+*+o+. |
|         oOo.. . |
|  . E    o...    |
|.. ..     +.     |
| o....  So o.    |
|  oo.... +...    |
| =...=. o.+      |
|. =oB.o...       |
| .+*.o..         |
+----[SHA256]-----+

 

[Mark_79]

Hello.

I have latest proxmox installed, its Stretch version.

root@OKUS-16:~# cat /etc/debian_version
9.4

root@OKUS-16:/etc/apt# dpkg -l |grep openssh-client
ii  openssh-client                       1:7.4p1-10+deb9u3              amd64        secure shell (SSH) client, for secure access to remote machines


root@OKUS-16:/etc/apt# debsums openssh-client |grep keygen
/usr/bin/ssh-keygen                                                       FAILED
/usr/share/man/man1/ssh-keygen.1.gz                                           OK


root@OKUS-16:/etc/apt# grep ssh-keygen /var/lib/dpkg/info/openssh-client.md5sums
7a4d785c127229ebb29cb20ef9c384f1  usr/bin/ssh-keygen
08be768c93f8ab007c3f9b81291c97b3  usr/share/man/man1/ssh-keygen.1.gz


root@OKUS-16:/etc/apt# md5sum /usr/bin/ssh-keygen
08a8ed37bffb46d14f58b34c42007213  /usr/bin/ssh-keygen


root@OKUS-16:/etc/apt# sha256sum /usr/bin/ssh-keygen
3c5bfe084e359a2573a0527783566816d23fa5de746644711ab3489da0422e5c  /usr/bin/ssh-keygen


root@OKUS-16:/etc/apt# ssh-keygen -E -f /tmp/testkey
unknown option -- E
usage: ssh-keygen [options]
Options:
  -A          Generate non-existent host keys for all key types.
  -a number   Number of KDF rounds for new key format or moduli primality tests.
  -B          Show bubblebabble digest of key file.
  -b bits     Number of bits in the key to create.
  -C comment  Provide new comment.
  -c          Change comment in private and public key files.
  -D pkcs11   Download public key from pkcs11 token.
  -e          Export OpenSSH to foreign format key file.
  -F hostname Find hostname in known hosts file.
  -f filename Filename of the key file.
  -G file     Generate candidates for DH-GEX moduli.
  -g          Use generic DNS resource record format.
  -H          Hash names in known_hosts file.
  -h          Generate host certificate instead of a user certificate.
  -I key_id   Key identifier to include in certificate.
  -i          Import foreign format to OpenSSH key file.
  -J number   Screen this number of moduli lines.
  -j number   Start screening moduli at specified line.
  -K checkpt  Write checkpoints to this file.
  -k          Generate a KRL file.
  -L          Print the contents of a certificate.
  -l          Show fingerprint of key file.
  -M memory   Amount of memory (MB) to use for generating DH-GEX moduli.
  -m key_fmt  Conversion format for -e/-i (PEM|PKCS8|RFC4716).
  -N phrase   Provide new passphrase.
  -n name,... User/host principal names to include in certificate
  -O option   Specify a certificate option.
  -o          Enforce new private key format.
  -P phrase   Provide old passphrase.
  -p          Change passphrase of private key file.
  -Q          Test whether key(s) are revoked in KRL.
  -q          Quiet.
  -R hostname Remove host from known_hosts file.
  -r hostname Print DNS resource record.
  -S start    Start point (hex) for generating DH-GEX moduli.
  -s ca_key   Certify keys with CA key.
  -T file     Screen candidates for DH-GEX moduli.
  -t type     Specify type of key to create.
  -u          Update KRL rather than creating a new one.
  -V from:to  Specify certificate validity interval.
  -v          Verbose.
  -W gen      Generator to use for generating DH-GEX moduli.
  -y          Read private key file and print public key.
  -Z cipher   Specify a cipher for new private key format.
  -z serial   Specify a serial number.
root@OKUS-16:/etc/apt#

 

[Stoiko Ivanov]

root@OKUS-16:/etc/apt# debsums openssh-client |grep keygen /usr/bin/ssh-keygen FAILED

the failed line shows that the binary is not the one that's shipped with the debian-package - it's somehow made immutable (chattr/lsattr).

I would also check whether any other files on the host are affected (debsums can help here)

 

[Mark_79]

Its very strange, because i use only official repository.

I reinstall now openssh-client package and now all good.

root@OKUS-16:/etc/apt# apt-get install --reinstall openssh-client
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/779 kB of archives.
After this operation, 0 B of additional disk space will be used.
(Reading database ... 53467 files and directories currently installed.)
Preparing to unpack .../openssh-client_1%3a7.4p1-10+deb9u3_amd64.deb ...
Unpacking openssh-client (1:7.4p1-10+deb9u3) over (1:7.4p1-10+deb9u3) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up openssh-client (1:7.4p1-10+deb9u3) ...



root@OKUS-16:/etc/apt# debsums openssh-client |grep keygen
/usr/bin/ssh-keygen                                                           OK
/usr/share/man/man1/ssh-keygen.1.gz                                           OK




root@OKUS-16:/etc/apt# ssh-keygen -E sha256  -f /tmp/testkey
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /tmp/testkey.
Your public key has been saved in /tmp/testkey.pub.
The key fingerprint is:
SHA256:Sqm6NRlVgEqua6hgl/8X3M4qQqKB9zfAJn6lJ4QS10A root@OKUS-16
The key's randomart image is:
+---[RSA 2048]----+
| .E  ....        |
|  o .  .         |
| o +  .          |
|. + .. .         |
|.+ o. o S .      |
|+.+.**.. o .     |
|o*oBB+.   +      |
|=ooo*o+. . o     |
|+ oo =ooo..      |
+----[SHA256]-----+
root@OKUS-16:/etc/apt#

Big thanks for help!