Dropbear does not work on fresh installation

[Id2ndR]

Version used: mkinitcpio-systemd-tool 36-1.

This issue is related to https://github.com/random-archer/mkinitcpio-systemd-tool/issues/17 and https://bugs.archlinux.org/task/60523: on fresh install, ssh host_keys are generated before installing dropbear, do mkinitcpio show errors like this:

    convert openssh to dropbear host key: /etc/dropbear/dropbear_ecdsa_host_key
==> ERROR: command failure (1): dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/dropbear_ecdsa_host_key 
Error: Unsupported OpenSSH key type
Error reading key from '/etc/ssh/ssh_host_ecdsa_key'

Then, the initrd-dropbear unit seems to start on reboot, but the ssh port (22) is not binded. In fact, starting dropbear with -E option allows to see that it exit immediatly with return code 1:

[20033] Feb 11 22:12:21 Failed loading /etc/dropbear/dropbear_rsa_host_key
[20033] Feb 11 22:12:21 Failed loading /etc/dropbear/dropbear_ecdsa_host_key
[20033] Feb 11 22:12:21 Failed loading /etc/dropbear/dropbear_ed25519_host_key
[20033] Feb 11 22:12:21 Early exit: No hostkeys available. 'dropbear -R' may be useful or run dropbearkey.

The problem is that using ssh-keygen -A -m PEM command, like explained in the unit, does not help because it does not replace existing keys.

Solutions:

• a workaround is to remove the existing keys /etc/ssh/ssh_host_*key* before using the command ssh-keygen -A -m PEM.
• a better solution is to convert the existing keys with these commands, providing an empty password when promped:

  for format in dsa ecdsa ed25519 rsa; do
  ssh-keygen -A -p -m PEM -f /etc/ssh/ssh_host_${format}_key
  done

Then mkinitcpio shoud be run again.

[pierrou-andreas]

The problem is that using ssh-keygen -A -m PEM command, like explained in the unit, does not help because it does not replace existing keys.

* a better solution is to convert the existing keys with these commands, providing an empty password when promped:
  ```
  for format in dsa ecdsa ed25519 rsa; do
    ssh-keygen -A -p -m PEM -f /etc/ssh/ssh_host_${format}_key
  done
  ```

Then mkinitcpio shoud be run again.

Hi! I just want to confirm that the problem of running ssh-keygen -A -m PEM still persists on OpenSSH 8.7p1-1. Isn't the use of option -A in order to convert to PEM-format inherently incorrect as it only creates files that don't already exist?

The manpage of ssh-keygen describes option -A as

For each of the key types (rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys [...].

But since the host keys in /etc/ssh/ already exists (because they are generated on the first invocation of sshd), nothing will be generated/regenerated/converted. Is it OK to change the comment in the initrd-dropbear.service so that new users won't be confused? I made a pull request with the above-suggested for-loop instead of ssh-keygen -A -m PEM since I don't have write access to the project.

[ghthor]

I believe the for loop version of this fix does not need the -A flag.