SOLVED SSH to FreeNAS. Key doesn't survive reboot

[NugentS]

Hi,
Another slightly strange occurrence.
I just upgraded to 11.3U3 as this is a non production (at the moment) NAS.

In the previous version I could ssh root@freenas and get asked for a password. This survived reboots
Current version - if I reboot then ssh complains that the keys have changed and I have to delete the key from my known_hosts file

Can't believe that this is by design. Does tell me if the box has rebooted though...

 

[anodos]

Fix is here: https://github.com/freenas/freenas/commit/f1c90c0843ae3665093bfd1ed9d1a79609ca3691

File to modify is /etc/ix.rc.d/ix_sshd_save_keys

 

[Samuel Tai]

It's ix_sshd_save_keys. If this file doesn't exist, create a new one, owned by root:wheel, mode 755, with contents as follows:

Code:

#!/bin/sh
#
# $FreeBSD$
#

# PROVIDE: ix_sshd_save_keys
# REQUIRE: openssh

#
# Save any generated keys by /usr/local/etc/rc.d/sshd into the config db.
#

. /etc/rc.freenas

save_keys()
{
    for i in "ssh_host_key" "ssh_host_key.pub" "ssh_host_dsa_key" "ssh_host_dsa_
key.pub" "ssh_host_dsa_key-cert.pub" "ssh_host_ecdsa_key" "ssh_host_ecdsa_key.pu
b" "ssh_host_ecdsa_key-cert.pub" "ssh_host_rsa_key" "ssh_host_rsa_key.pub" "ssh_
host_rsa_key-cert.pub" "ssh_host_ed25519_key" "ssh_host_ed25519_key.pub" "ssh_ho
st_ed25519_key-cert.pub"
    do
        if [ -f /usr/local/etc/ssh/${i} ] ; then
            _tmp=`cat /usr/local/etc/ssh/${i} | /usr/local/bin/base64`
            column=`echo ${i} | tr ".-" "_"`
            cmd="UPDATE services_ssh SET '${column}' = '${_tmp}' WHERE id = (SEL
ECT id FROM services_ssh ORDER BY id LIMIT 1);"
            echo ${cmd} | ${FREENAS_SQLITE_CMD} ${FREENAS_CONFIG}
        fi
    done
}

name="ix_sshd_save_keys"
start_cmd='save_keys'
stop_cmd=':'

load_rc_config $name
run_rc_command "$1"

 

[NugentS]

Nope - doesn't work. Same situation

 

[NugentS]

I may have got permissions wrong - I'll retest

 

[NugentS]

Still doesn't work. formatting of the code below is slightly wrong due to the website

root@freenas[/etc/ix.rc.d]# ll total 94 drwxr-xr-x 2 root wheel uarch 1152 May 20 20:19 ./ drwxr-xr-x 31 root wheel uarch 8704 May 20 20:16 ../ -rwxr-xr-x 1 root wheel - 1026 May 20 20:19 ix_sshd_save_keys* -rw-r--r-- 1 root wheel uarch 408 May 20 11:31 ix-asigra

. /etc/rc.freenas save_keys() { for i in "ssh_host_key" "ssh_host_key.pub" "ssh_host_dsa_key" "ssh_host_dsa_key.pub" "ssh_host_dsa_key-cert.pub" "ssh_host_ecdsa_key" "ssh_host_ecdsa_key.pub" "ssh_host_ecdsa_key-cert.pub" "ssh_host_rsa_key" "ssh_host_rsa_key.pub" "ssh_host_rsa_key-cert.pub" "ssh_host_ed25519_key" "ssh_host_ed25519_key.pub" "ssh_host_ed25519_key-cert.pub" do if [ -f /usr/local/etc/ssh/${i} ] ; then _tmp=`cat /usr/local/etc/ssh/${i} | /usr/local/bin/base64` column=`echo ${i} | tr ".-" "_"` cmd="UPDATE services_ssh SET '${column}' = '${_tmp}' WHERE id = (SELECT id FROM services_ssh ORDER BY id LIMIT 1);" echo ${cmd} | ${FREENAS_SQLITE_CMD} ${FREENAS_CONFIG} fi done } name="ix_sshd_save_keys" start_cmd='save_keys' stop_cmd=':' load_rc_config $name run_rc_command "$1"

 

[NugentS]

I used the code below - but its not working. I got this from Git from anados's post

Code:

#!/bin/sh
#
# $FreeBSD$
#

# PROVIDE: ix_sshd_save_keys
# REQUIRE: openssh

#
# Save any generated keys by /usr/local/etc/rc.d/sshd into the config db.
#

. /etc/rc.freenas

save_keys()
{
    for i in "ssh_host_key" "ssh_host_key.pub" "ssh_host_dsa_key" "ssh_host_dsa_key.pub" "ssh_host_dsa_key-cert.pub" "ssh_host_ecdsa_key" "ssh_host_ecdsa_key.pub" "ssh_host_ecdsa_key-cert.pub" "ssh_host_rsa_key" "ssh_host_rsa_key.pub" "ssh_host_rsa_key-cert.pub" "ssh_host_ed25519_key" "ssh_host_ed25519_key.pub" "ssh_host_ed25519_key-cert.pub"
    do
        if [ -f /usr/local/etc/ssh/${i} ] ; then
            column=`echo ${i} | tr ".-" "_"`
            key=`cat /usr/local/etc/ssh/${i} | /usr/local/bin/base64`
            if echo "$column" | egrep "key$" > /dev/null ; then
              key=`midclt call pwenc.encrypt "$key"`
            fi
            cmd="UPDATE services_ssh SET '${column}' = '${key}' WHERE id = (SELECT id FROM services_ssh ORDER BY id LIMIT 1);"
            echo ${cmd} | ${FREENAS_SQLITE_CMD} ${FREENAS_CONFIG}
        fi
    done
}

name="ix_sshd_save_keys"
start_cmd='save_keys'
stop_cmd=':'

load_rc_config $name
run_rc_command "$1"

 

[Samuel Tai]

Have you restarted SSH?

 

[NugentS]

Yes

 

[MikeyG]

Modifying that file does not appear to survive reboots.

 

[anodos]

Modifying that file does not appear to survive reboots.

Sorry. You need to modify the file in /conf/base/etc/ix.rc.d/ in order to persist across reboots.

 

[Spearfoot]

I noticed the same problem today. Looks like I should have waited a little longer before upgrading from 11.2U8

 

[MikeyG]

Still not working for me @anodos. Changes are persistent across reboots but still prompts for new key each time I SSH in.

Changed /conf/base/etc/ix.rc.d/ix_sshd_save_keys to:

Code:

/conf/base/etc/ix.rc.d/ix_sshd_save_keys

#!/bin/sh
#
# $FreeBSD$
#

# PROVIDE: ix_sshd_save_keys
# REQUIRE: openssh

#
# Save any generated keys by /usr/local/etc/rc.d/sshd into the config db.
#

. /etc/rc.freenas

save_keys()
{
    for i in "ssh_host_key" "ssh_host_key.pub" "ssh_host_dsa_key" "ssh_host_dsa_key.pub" "ssh_host_dsa_key-cert.pub" "ssh_host_ecdsa_key" "ssh_host_ecdsa_key.pub" "ssh_host_ecdsa_key-cert.pub" "ssh_host_rsa_key" "ssh_host_rsa_key.pub" "ssh_host_rsa_key-cert.pub" "ssh_host_ed25519_key" "ssh_host_ed25519_key.pub" "ssh_host_ed25519_key-cert.pub"
    do
        if [ -f /usr/local/etc/ssh/${i} ] ; then
            column=`echo ${i} | tr ".-" "_"`
            key=`cat /usr/local/etc/ssh/${i} | /usr/local/bin/base64`
            if echo "$column" | egrep "key$" > /dev/null ; then
              key=`midclt call pwenc.encrypt "$key"`
            fi
            cmd="UPDATE services_ssh SET '${column}' = '${key}' WHERE id = (SELECT id FROM services_ssh ORDER BY id LIMIT 1);"
            echo ${cmd} | ${FREENAS_SQLITE_CMD} ${FREENAS_CONFIG}
        fi
    done
}

name="ix_sshd_save_keys"
start_cmd='save_keys'
stop_cmd=':'

load_rc_config $name
run_rc_command "$1"

Am I missing something here?

Also, is a fix for this planned for U3.1?

 

[Spearfoot]

I've confirmed that the code changes do not fix the problem -- I still get new host keys on every boot.

 

[anodos]

I've confirmed that the code changes do not fix the problem -- I still get new host keys on every boot.

Let's try to make sure we're overwriting the file with exactly the correct one:
back up boot environment then

Code:

git clone https://github.com/freenas/freenas /tmp/freenas
cd /tmp/freenas
git checkout freenas/11.3-stable
cp src/freenas/etc/ix.rc.d/ix_sshd_save_keys /conf/base/etc/ix.rc.d/
cp src/freenas/etc/ix.rc.d/ix_sshd_save_keys /etc/ix.rc.d/
service ix_sshd_save_keys start
reboot

 

[NugentS]

That seems to work. All I was doing was editing the file - apparently thats not good enough

:)

Thank you @anodos

 

[Spearfoot]

Let's try to make sure we're overwriting the file with exactly the correct one:
back up boot environment then

Code:

git clone https://github.com/freenas/freenas /tmp/freenas
cd /tmp/freenas
git checkout freenas/11.3-stable
cp src/freenas/etc/ix.rc.d/ix_sshd_save_keys /conf/base/etc/ix.rc.d/
cp src/freenas/etc/ix.rc.d/ix_sshd_save_keys /etc/ix.rc.d/
service ix_sshd_save_keys start
reboot

Ah ha! I was only modifying the script in /conf/base/etc/ix.rc.d/, not realizing I needed to modify the one in /etc/ix.rc.d/ too. Thanks!