Regenerating SSH host keys

[pjc]

On installation, FreeNAS generates a set of SSH host keys. Does anyone know how to regenerate them in a way that keeps FreeNAS happy?

On a related note, does your SSH public key happen to be 1b:64:...:24:3e:ad?

 

[dlavigne]

Out of curiosity, why do you want to regenerate them?

 

[pjc]

Out of curiosity, why do you want to regenerate them?

Because they mysteriously changed on me upon the first reboot after installation, and I want to make sure mine are locally generated and not default values.

On install:

Code:

Mar 3 23:50:14 freenas notifier: Will not 'reload' sshd because sshd_enable is
NO.
Mar 3 23:50:21 freenas notifier: Generating RSA1 host key.
Mar 3 23:50:21 freenas notifier: 2048 46:38:...:4b:47 root@freenas.local (RSA1)
Mar 3 23:50:21 freenas notifier: Generating RSA host key.
Mar 3 23:50:21 freenas notifier: 2048 4a:9a:...:d0:57 root@freenas.local (RSA)
Mar 3 23:50:21 freenas notifier: Generating DSA host key.
Mar 3 23:50:21 freenas notifier: 1024 45:11:...:3e:64 root@freenas.local (DSA)
Mar 3 23:50:21 freenas notifier: Generating ECDSA host key.
Mar 3 23:50:21 freenas notifier: 256 6f:26:...:02:ee root@freenas.local (ECDSA)
Mar 3 23:50:21 freenas notifier: Generating ED25519 host key.
Mar 3 23:50:21 freenas notifier: 256 6d:b9:...:b2:40 root@freenas.local (ED25519)
Mar 3 23:50:21 freenas notifier: Performing sanity check on sshd configuration.
Mar 3 23:50:21 freenas notifier: Starting sshd.

These keys were what sshd used immediately after install.

But on reboot (and every boot thereafter):

Code:

# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
2048 1b:64:...:24:3e:ad root@freenas.local (RSA)

But there's no additional key generation shown in the logs. So where did that public key come from? (I know the file is regenerated from the database on boot, but how did those values get into the database? Are they defaults?)

 

[cyberjock]

I just ran:

# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

Every one of my FreeNAS (and TrueNAS) systems gave different results (and none matched yours).

I'd say ask a dev in #freenas or put in a ticket. /shrug

Probably more polite to ask a dev in #freenas first because you don't really know if its a bug or not and they prefer to not have a bug ticket files unless it's actually a bug. ;)

 

[pjc]

Well, I'm relieved that it didn't just end up using a common default, but I'm a bit puzzled about where these keys came from. I'll see what they say on IRC.

 

[pjc]

Bug reported: https://bugs.freenas.org/issues/8773

I never managed to connect with the devs on IRC, but I did get a spare moment to reproduce the behavior in a VM. Basically it looks like enabling SSH doesn't commit the generated keys to the persistent database, but the process that regenerates missing keys on boot does.

So you get a set of host key right after enabling SSH, but then they change when you reboot, with no mention of the regeneration in the logs. After that they stick.