Question about saving SSH keys

When I update the latest rolling, it asks if I want to save the SSH keys to the new install. However, when it boots to the new image, I have nothing in my.ssh directory, Therefore, I have to recreate and share the keys again every time. Is this the intended behavior? I assume not, as it asks to copy; perhaps a bug? It is kind of annoying to have to regen then every time for my config backups to work.

Thanks for any clarification and/or fix you can offer,

Keith

Please report this at https://vyos.dev

Sounds like a bug to me.

The thing is that normally just the /config is copied onto the new persistent directory and I think the /home dirs aswell.

But the server part of ssh which is placed in /etc might not be copied (I think).

So when you talk about ssh keys… do you mean those found in your /home directory (to be used to verify a ssh server you choose to connect to from VyOS) or do you mean those found in /etc used to identify the VyOS box when you connect to it from a different host?

Hello @sirebral,

Despite being prompted to save SSH keys during the update process, he finds that the keys are not retained in the new installation. This inconvenience means he has to recreate and share the keys each time, impacting the functionality of his configuration backups.

This doesn’t seem to be the intended behavior and could potentially be a bug in the update process. It’s understandable why Keith finds this situation annoying, as it disrupts his workflow and adds unnecessary effort to his system maintenance tasks.

Offering clarification and a fix for this issue would likely require input from the VyOS community or support team, as they would have a better understanding of the system’s mechanics and any potential bugs or glitches. Hopefully, Keith will receive the assistance he needs to resolve this problem and streamline his update process in the future.

Best Regards,

I appreciate it, Betty. Yes, my non-root user has keys stored in the home directory .ssh to be able to backup configurations, and with the current implementation, it does not backup or restore those keys after a rolling upgrade.

Should I report this to bugs?

Thanks,

Keith

@sirebral,

I believe only the /config directory persists between upgrades.

Suggest before you upgrade that you copy the config/ssh files of your additional user(s) there, perform the upgrade and then move files back once you’ve added the user.

This should at least save you the hassle of needing to re-gen keys.

A workaround would be to place your keys in /config/backupssh or such, make sure to give proper permissions to that directory and the files.

Then in /config/scripts/vyos-postconfig-bootup.script you add commands to create a symlink from your current home directory to the physical files found in /config/backupssh.

This way next time you upgrade the keys will follow to the updated version and the vyos-postconfig-bootup.script will make sure the ssh keys will get symlinked from your home directory.

But please file this as a bug over at https://vyos.dev so a more solid solution can be made for this (I think this have been talked about previously but perhaps only on the forum).

3 Likes

Would someone mind submitting the bug on my behalf. I understand the temporary remediation, yet I’m unsure if I could effectively relay the bug and resolution so that it’s fully understood.

Much appreciated.

Keith

Which VyOS version did you use when you found out about this issue?

It’s been a forever problem. I’ve been running rolling releases for the past six months, and it’s always had the same behavior with regard to SSH keys when upgrading.

Task created at: ⚓ T6275 SSH-keys from home-directory are not included during an update

Please feel free to add additional information to the link above.

1 Like

Are SSH keys not in the config?

Not that I know of, if there is a place for them, I could put that in, yet I haven’t seen any options for that.

See
https://docs.vyos.io/en/sagitta/configuration/system/login.html#cfgcmd-set-system-login-user-username-authentication-public-keys-identifier-key-key

Let me know if what you need is something different

1 Like

Yes, it’s not for login auth, this is for the automated backups of configs to a remote server that requires key-based authentication.

okey,
ssh client

question is if we want to keep those keys in config or just pick them up from /config/ssh-client
known hosts probably should be stored in /config/ssh-client directory permanently

1 Like

I am not sure the best manner in which to handle it. A bug was submitted, and I’m hoping something can be worked out to keep the configuration backups working between new versions.

I would primarily prefer if they are picked up from the home-directory since thats where they end up if you from the VyOS-box choose to SSH to another box and the SSH-client (at VyOS-box) ask you if you wish to store the fingerprint or not.

The installupdate script could probably ask three questions then:

  1. Copy already existing SSH-server private and public keys (/etc/ssh/)?

  2. Copy already existing SSH-client private and public keys (/home/xxx/)?

  3. Copy known_hosts from home-directories (/home/xxx/)?

For future updates it would be probably nice to be able to define known_hosts through the VyOS-config (this way the known_hosts could be created on first boot aswell and not only during updates).

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.