serhepopovych
commented
3 years ago Fixed with commit f46186d41bb9 ("simple-cdd-meta/debian: Add ssh-keygen.service to make hostkeys on firstboot") in master.
Closed serhepopovych closed 3 years ago
serhepopovych
commented
3 years ago Fixed with commit f46186d41bb9 ("simple-cdd-meta/debian: Add ssh-keygen.service to make hostkeys on firstboot") in master.
In Debian ssh host keys generated on package install (e.g. on openssh-server). Most of the times it has no implications as these keys of good quality as system has enough entropy (e.g. during system install) and generated per host.
However there is a cases where having ssh host keys created on system (package) install is not acceptable.
For example when btrfs snapshot of subvol=root is taken during install that later will be used as origin for LXC containers. Simply deleting these keys from snapshot will left sshd inactive in containers until new keys generated. Unfortunately Debian lacks option to generate them at runtime.
Indeed solution already implemented in RHEL/CentOS. There is ssh-keygen.service systemd unit that checks ssh host key presence and generates missing ones when necessary.
We may port that one, remove ssh host keys generated at system install time to let them generated on first boot. In this case each LXC container will generate it's own ssh host keys too.