Arch Linux removed 'dss' and 'dsa' from Dropbear. Results in error generating keys.

ShapeShifter499 commented 5 years ago

When setting up mkinitcpio-systemd-tool on a new Arch Linux system I get the below error with generating keys. I see an error with dropbear when mkinitcpio triggers a new key generation. It would seem that the maintainer of the Dropbear ssh package in Arch Linux has removed the option for generating 'dss' and 'dsa' keys. You can see the change for 'dss' at https://git.archlinux.org/svntogit/community.git/commit/trunk?h=packages/dropbear&id=76850552f9eea2289d2c016fe574ededfa9222bf near the bottom. I'm not 100% sure where 'dsa' got disabled and if that was a upstream change or if Arch Linux maintainers did that.

[root@archiso /]# mkinitcpio -p linux
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 4.18.14-arch1-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
  -> Running build hook: [systemd]
  -> Running build hook: [systemd-tool]
    generate brand new dropbear host key: /etc/dropbear/dropbear_dss_host_key
==> ERROR: command failure (1): dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key 
Unknown key type 'dss'
Usage: dropbearkey -t <type> -f <filename> [-s bits]
-t type Type of key to generate. One of:
        rsa
        ecdsa
-f filename    Use filename for the secret key.
               ~/.ssh/id_dropbear is recommended for client keys.
-s bits Key size in bits, should be a multiple of 8 (optional)
           ECDSA has sizes 256 384 521 
-y      Just print the publickey and fingerprint for the
        private key in <filename>.

==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: 4.18.14-arch1-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: aic94xx
==> WARNING: Possibly missing firmware for module: wd719x
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
  -> Running build hook: [systemd]
  -> Running build hook: [systemd-tool]
==> WARNING: Possibly missing firmware for module: softing_cs
==> WARNING: Possibly missing firmware for module: wcn36xx
==> WARNING: Possibly missing firmware for module: at76c50x_usb
==> WARNING: Possibly missing firmware for module: atmel
==> WARNING: Possibly missing firmware for module: b43
==> WARNING: Possibly missing firmware for module: b43legacy
==> WARNING: Possibly missing firmware for module: ipw2100
==> WARNING: Possibly missing firmware for module: ipw2200
==> WARNING: Possibly missing firmware for module: orinoco_usb
==> WARNING: Possibly missing firmware for module: p54pci
==> WARNING: Possibly missing firmware for module: p54spi
==> WARNING: Possibly missing firmware for module: p54usb
==> WARNING: Possibly missing firmware for module: prism54
==> WARNING: Possibly missing firmware for module: rtl8723ae
==> WARNING: Possibly missing firmware for module: rsi_sdio
==> WARNING: Possibly missing firmware for module: rsi_usb
==> WARNING: Possibly missing firmware for module: zd1201
==> WARNING: Possibly missing firmware for module: zd1211rw
    generate brand new dropbear host key: /etc/dropbear/dropbear_dss_host_key
==> ERROR: command failure (1): dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key 
Unknown key type 'dss'
Usage: dropbearkey -t <type> -f <filename> [-s bits]
-t type Type of key to generate. One of:
        rsa
        ecdsa
-f filename    Use filename for the secret key.
               ~/.ssh/id_dropbear is recommended for client keys.
-s bits Key size in bits, should be a multiple of 8 (optional)
           ECDSA has sizes 256 384 521 
-y      Just print the publickey and fingerprint for the
        private key in <filename>.

==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img
==> Image generation successful
[root@archiso /]#

ShapeShifter499 commented 5 years ago

I'm also experiencing an issue converting any OpenSSH host keys generated with "# ssh-keygen -A" using "# dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key"

I do not know if the issue I'm having with 'dropbearconvert' failing to convert any of my OpenSSH host keys is a bug with upstream or a bug caused by the changes in the Arch Linux build.

[root@archiso /]# dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key
Error: Unrecognised key type
Error reading key from '/etc/ssh/ssh_host_rsa_key'

And during mkinitcpio generation

[root@archiso /]# mkinitcpio -p linux
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 4.18.14-arch1-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
  -> Running build hook: [systemd]
  -> Running build hook: [systemd-tool]
    convert openssh to dropbear host key: /etc/dropbear/dropbear_rsa_host_key
==> ERROR: command failure (1): dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key 
Error: Unrecognised key type
Error reading key from '/etc/ssh/ssh_host_rsa_key'

    convert openssh to dropbear host key: /etc/dropbear/dropbear_dss_host_key
==> ERROR: command failure (1): dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key /etc/dropbear/dropbear_dss_host_key 
Error: Unrecognised key type
Error reading key from '/etc/ssh/ssh_host_dsa_key'

    convert openssh to dropbear host key: /etc/dropbear/dropbear_ecdsa_host_key
==> ERROR: command failure (1): dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/dropbear_ecdsa_host_key 
Error: Unrecognised key type
Error reading key from '/etc/ssh/ssh_host_ecdsa_key'

==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: 4.18.14-arch1-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: aic94xx
==> WARNING: Possibly missing firmware for module: wd719x
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
  -> Running build hook: [systemd]
  -> Running build hook: [systemd-tool]
==> WARNING: Possibly missing firmware for module: softing_cs
==> WARNING: Possibly missing firmware for module: wcn36xx
==> WARNING: Possibly missing firmware for module: at76c50x_usb
==> WARNING: Possibly missing firmware for module: atmel
==> WARNING: Possibly missing firmware for module: b43
==> WARNING: Possibly missing firmware for module: b43legacy
==> WARNING: Possibly missing firmware for module: ipw2100
==> WARNING: Possibly missing firmware for module: ipw2200
==> WARNING: Possibly missing firmware for module: orinoco_usb
==> WARNING: Possibly missing firmware for module: p54pci
==> WARNING: Possibly missing firmware for module: p54spi
==> WARNING: Possibly missing firmware for module: p54usb
==> WARNING: Possibly missing firmware for module: prism54
==> WARNING: Possibly missing firmware for module: rtl8723ae
==> WARNING: Possibly missing firmware for module: rsi_sdio
==> WARNING: Possibly missing firmware for module: rsi_usb
==> WARNING: Possibly missing firmware for module: zd1201
==> WARNING: Possibly missing firmware for module: zd1211rw
    convert openssh to dropbear host key: /etc/dropbear/dropbear_rsa_host_key
==> ERROR: command failure (1): dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key 
Error: Unrecognised key type
Error reading key from '/etc/ssh/ssh_host_rsa_key'

    convert openssh to dropbear host key: /etc/dropbear/dropbear_dss_host_key
==> ERROR: command failure (1): dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key /etc/dropbear/dropbear_dss_host_key 
Error: Unrecognised key type
Error reading key from '/etc/ssh/ssh_host_dsa_key'

    convert openssh to dropbear host key: /etc/dropbear/dropbear_ecdsa_host_key
==> ERROR: command failure (1): dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/dropbear_ecdsa_host_key 
Error: Unrecognised key type
Error reading key from '/etc/ssh/ssh_host_ecdsa_key'

==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img
==> Image generation successful
[root@archiso /]#

LubosKolouch commented 5 years ago

What helped me was to remove the dsa keys and copy the ecdsa in their place. Afterwards the script went through OK.

Not sure if it solves your problem...

ShapeShifter499 commented 5 years ago

@kolcon I've decided to have separate host keys for both openssh and dropbear on my system. This also forced me to make sure openssh and dropbear were on different ports, but since I use the same auth key everything works well enough.

Andrei-Pozolotin commented 5 years ago

resolved by https://github.com/random-archer/mkinitcpio-systemd-tool/releases/tag/v17

random-archer / mkinitcpio-systemd-tool

Arch Linux removed 'dss' and 'dsa' from Dropbear. Results in error generating keys. #21