Bug#811265: marked as done (openssh-server fails to install with 'Saving key "/etc/ssh/ssh_host_key" failed: unknown or unsupported key type' because rsa1/SSH1 have been disabled)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 17 Jan 2016 15:59:57 +0000
with message-id <E1aKpkD-0001c8-Gs@franck.debian.org>
and subject line Bug#811265: fixed in openssh 1:7.1p2-2
has caused the Debian Bug report #811265,
regarding openssh-server fails to install with 'Saving key "/etc/ssh/ssh_host_key" failed: unknown or unsupported key type' because rsa1/SSH1 have been disabled
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
811265: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=811265
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: openssh-server fails to install with 'Saving key "/etc/ssh/ssh_host_key" failed: unknown or unsupported key type' because rsa1/SSH1 have been disabled
• From: Alexander Kurtz <alexander@kurtz.be>
• Date: Sun, 17 Jan 2016 13:09:13 +0100
• Message-id: <[🔎] 1453032553.2675.14.camel@kurtz.be>

Package:       openssh-server
Version:       1:7.1p2-1
Severity:      serious
Justification: Package fails to install

Hi!

In contrast to the default version shipped in the package, my
/etc/ssh/sshd_config doesn't contain a "Protocol" line since I'm happy
with the default (which is '2' according to the man page).

However, openssh-server's postinst contains these linese:

    76  host_keys_required() {
    77          hostkeys="$(get_config_option HostKey)"
    78          if [ "$hostkeys" ]; then
    79                  echo "$hostkeys"
    80          else
    81                  # No HostKey directives at all, so the server picks some
    82                  # defaults depending on the setting of Protocol.
    83                  protocol="$(get_config_option Protocol)"
    84                  [ "$protocol" ] || protocol=1,2
    85                  if echo "$protocol" | grep 1 >/dev/null; then
    86                          echo /etc/ssh/ssh_host_key
    87                  fi
[...]
    95  }
    96  
    97  
    98  create_key() {
[...]
   105  
   106          if echo "$hostkeys" | grep -x "$file" >/dev/null && \
   107             [ ! -f "$file" ] ; then
   108                  echo -n $msg
   109                  ssh-keygen -q -f "$file" -N '' "$@"
[...]
   115          fi
   116  }

This results in this:

	root@shepard:~# apt-get -f install
	Reading package lists... Done
	Building dependency tree       
	Reading state information... Done
	0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
	1 not fully installed or removed.
	After this operation, 0 B of additional disk space will be used.
	Setting up openssh-server (1:7.1p2-1) ...
	Creating SSH1 key; this may take some time ...Saving key "/etc/ssh/ssh_host_key" failed: unknown or unsupported key type
	dpkg: error processing package openssh-server (--configure):
	 subprocess installed post-installation script returned error exit status 1
	Errors were encountered while processing:
	 openssh-server
	E: Sub-process /usr/bin/dpkg returned an error code (1)
	root@shepard:~# 

The reason is that this command fails:

	root@shepard:~# ssh-keygen -q -f /etc/ssh/ssh_host_key -N '' -t rsa1
	Saving key "/etc/ssh/ssh_host_key" failed: unknown or unsupported key type
	root@shepard:~# 

A quick search leads to this upstream bug report:

	https://bugzilla.mindrot.org/show_bug.cgi?id=2369

To sum things up: It seems that the logic in the postinst script which
is emulating the "-A" option of ssh-keygen is buggy and therefore ran
into the exact same problem as described in the bug report above. 

Please consider either defaulting to protocol 2 only in the postinst
(line 84) or (IMHO better) switch to the "-A" option of ssh-keygen.

Best regards

Alexander Kurtz

Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

• To: 811265-close@bugs.debian.org
• Subject: Bug#811265: fixed in openssh 1:7.1p2-2
• From: Colin Watson <cjwatson@debian.org>
• Date: Sun, 17 Jan 2016 15:59:57 +0000
• Message-id: <E1aKpkD-0001c8-Gs@franck.debian.org>

Source: openssh
Source-Version: 1:7.1p2-2

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 811265@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 17 Jan 2016 14:10:19 +0000
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.1p2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 811265
Changes:
 openssh (1:7.1p2-2) unstable; urgency=medium
 .
   * Remove protocol 1 host key generation from openssh-server.postinst
     (closes: #811265).
Checksums-Sha1:
 f12a29aaf62d01668734fdff4656461091f80b01 2835 openssh_7.1p2-2.dsc
 be0589087e6db39d5b73a2cae4a52bc3d54ea809 148584 openssh_7.1p2-2.debian.tar.xz
Checksums-Sha256:
 5d2c30d7862d863b93629466f63182164e8df07d75d89989a83b3f8c3a4e61ea 2835 openssh_7.1p2-2.dsc
 601211c89b93d95e3f63353d67e18aaf2142ad789873af7a992544cd4acd46f4 148584 openssh_7.1p2-2.debian.tar.xz
Files:
 104f221507e92b702632a0e2acc402b8 2835 net standard openssh_7.1p2-2.dsc
 ccd355c361a9ada014bd41e7cb4560ef 148584 net standard openssh_7.1p2-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBVpug3jk1h9l9hlALAQhoVw//cQiDDaV9BAirw3yKg/IcaNKff2hZpR8L
D+qgJTaQdwveIvmrUMizlXBL1NVETQONyupm7StK0khGBW3nvrk94qZ3tucHAPl/
9Y/WUH0aujmUxXGptwGzum9HmS8+ccTAh3hIWsYEtkL3gaAPTVnmf0XJ6SF/D6Ti
R48lpf6lbIAZD+XIS5Y3u5k1Xf4Js5ueepLl7zJ2X3i6Y97le925tCK4pR7jacCM
B+NeAbpOhm4WwHdnjcpkNiFSC/3ZrVc51rzxAOgLpSn2769cKcZzW5WzqR2oasP5
kWsHqr315UdTU9YtKxJ3R4X+YMTdDqZtW4ms9baxBd0FN3xOiuNTfb+2/0rokYlp
RIwz3v4ibwUuQoGNluzqyHsO4uD9bJxK5skoKL/pFZFWtMIxu7EfXB/sAwSnPIxc
DcqHESef8jUiZde+fCx5Oti+s7A3ckwSVE7vl0tdRD8RjjdvCVKtKUmHf1R4Y/iG
cDaEGfVPj+Dqj0fCIQIViW13hT60t8qUpJk5VbaY8ObVL5M6ibrfev3nytsITous
Ziy/yHAk2NTsxmZ5UdMhyNG8eXMEPMXMOSd5+WNq2vFB1Y4SFYsSxWewPjgzoUDC
jpK8yI7tpJtmoika2ehz1PaOyoBKVsczDu0dSoIfEjOhmUAQjXxmFQgZBV9cDAa+
ts9mq2C/2GI=
=C9AO
-----END PGP SIGNATURE-----

--- End Message ---