Not everything I deal with does turn out to be a problem… sometimes it’s a feature: Today I came across the question, why does sshd on a SLES machine have the same host key after a reinstall – even if the installer was told to create a new (root) filesystem? I had stumbled over this once myself, but didn’t bother to check the background then. Today’s report included the information that when nulling the partition before (re-)installing, the key will change – so luckily it’s not a problem of the key generation algorithm, having insufficient entropy when re-run on the same machine.
Curiosity got the better of me today, so I started to look things up.
First hint was to be found in a file on an already installed SLES11 server (/usr/share/YaST2/modules/SystemFilesCopy.ycp):
/**
* Sets new rules which files will be copied during installation.
*
* @see FATE #305019: configure the files to copy from a previous installation
* @param list <map> of new definitions
*
* @struct
* [
* "copy_to_dir" : (string) "system_directory_to_copy_to",
* "mandatory_files" : (list <string>) [ list of mandatory files ],
* "optional_files" : (list <string>) [ list of optional files ],
* ]
*
* @example
* SetCopySystemFiles ([
* $["copy_to_dir":"/root/backup", "mandatory_files":["/etc/passwd", "/etc/shadow"]]
* $["copy_to_dir":"/root/backup", "mandatory_files":["/etc/ssh/ssh_host_dsa_key"], "optional_files":["/etc/ssh/ssh_host_rsa_key.pub"]]
* ])
*/
global void SetCopySystemFiles (list <map> new_copy_files) {
I just wouldn’t believe a developer to insert such a fitting example in the comment block, unless the code was actually implemented somewhere already. And while I couldn’t spot any invocation of “SetCopySystemFile()” anywhere on the installed system, OpenSuSE’s SVN repository provided another hit in inst_pre_install.ycp:
27 // FATE #300421: Import ssh keys from previous installations 28 FindAndCopyNewestFiles ( 29 "/", 30 // required 31 ["/etc/ssh/ssh_host_key", "/etc/ssh/ssh_host_key.pub"], 32 // optional 33 ["/etc/ssh/ssh_host_dsa_key", "/etc/ssh/ssh_host_dsa_key.pub", "/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_rsa_key.pub"] 34 );
So what’s the effect of these pieces of code? During installation, even if you decide to wipe your disk by letting the installer create new file systems on your logical volumes or disk partitions, YaST will make a copy of some of the files of the previously installed system (intermediately stored in the RAM disk of the installation system) and includes them with the fresh install.
Please note that the above code does not actually reflect the current state of implementation, but is how copying sshd host keys was originally introduced in August 2007. Todays implementation takes it’s list of files from “/control.xml” on the installation media, where you will find the “copy_to_system” node. The following sample is from the openSUSE 12.3 DVD:
<!-- FATE #305019: configure the files to copy from a previous installation --> <copy_to_system config:type="list"> <!-- FATE #300421: Import ssh keys from previous installations --> <copy_to_system_item> <copy_to_dir>/</copy_to_dir> <!-- Files that must be all present on the previous system --> <mandatory_files config:type="list"> <file_item>/etc/ssh/ssh_host_key</file_item> <file_item>/etc/ssh/ssh_host_key.pub</file_item> </mandatory_files> <!-- Files thay may be present --> <optional_files config:type="list"> <file_item>/etc/ssh/ssh_host_dsa_key</file_item> <file_item>/etc/ssh/ssh_host_dsa_key.pub</file_item> <file_item>/etc/ssh/ssh_host_rsa_key</file_item> <file_item>/etc/ssh/ssh_host_rsa_key.pub</file_item> <file_item>/etc/ssh/ssh_host_ecdsa_key</file_item> <file_item>/etc/ssh/ssh_host_ecdsa_key.pub</file_item> </optional_files> </copy_to_system_item> <!-- FATE #120103: Import Users From Existing Partition --> <copy_to_system_item> <copy_to_dir>/var/lib/YaST2/imported/userdata/</copy_to_dir> <!-- Files that must be all present on the previous system --> <mandatory_files config:type="list"> <file_item>/etc/shadow</file_item> <file_item>/etc/passwd</file_item> <file_item>/etc/login.defs</file_item> <file_item>/etc/group</file_item> </mandatory_files> </copy_to_system_item> </copy_to_system>
As you can see nicely, the files to be preserved are
- the ssh daemon host key files
- password and group files
- pwdutils’ configuration control definitions
and if you look at the SLES11 DVDs, you’ll find the same list.
So as a final conclusion, seeing no warning for changed ssh keys (even after zapping your file systems during install) is clearly no reason for worries. And if you want to make sure you get an absolutely fresh & clean install, it’s up to you to wipe the disk prior to starting the installation.