Fix SSH host key generation warnings #1290
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wkz
reviewed
Dec 1, 2025
Contributor
wkz
left a comment
wkz
left a comment
There was a problem hiding this comment.
Don't we want mksshkey to generate PKCS#8 framing around the key, so that we can import ECDSA and other key types as well?
I.e., if we kept mk{keys,sshkey} as they were before this change, and ran s/ RSA//g on mksshkey's header strings, would that also work?
Contributor
Author
Good point, I'll have a look! |
troglobit
force-pushed
the
hostkey-warning
branch
from
f51c7d9 to
a6a4e1e
Compare
Contributor
Author
|
Yup, that works @wkz, thanks for pointing this out! |
troglobit
force-pushed
the
hostkey-warning
branch
from
a6a4e1e to
6450d4d
Compare
mattiaswal
approved these changes
Dec 2, 2025
Validate keys in gen_hostkey() before passing empty keys to shell scripts, preventing: Nov 04 2024 10:54:25 confd[2697]: SSH key (genkey) does not exist, generating... Nov 04 2024 10:54:25 confd[2697]: writing RSA key Nov 04 2024 10:54:26 confd[2697]: do_convert_from_pkcs8: /tmp/tmp.FH1Hr1 is not a recognised public key format Also, fix base64 content formatting with proper 64-character line wrapping using printf+fold instead of echo. Use PKCS#1 RSA format for public keys as required by netopeer2-server, while keeping PKCS#8 format for private keys. Use proper ssh-keygen format flag (PKCS8) for correct conversion. Fixes #1289 Signed-off-by: Joachim Wiberg <[email protected]>
troglobit
force-pushed
the
hostkey-warning
branch
from
6450d4d to
d23f9ea
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Fix several issues in SSH host key generation and import that caused warnings in system logs:
mkkeys: Switch from openssl genpkey (PKCS#8) to genrsa (PKCS#1) to match the expected format in mksshkey
mksshkey: Fix PEM file reconstruction by properly formatting base64 content with 64-character line wrapping using printf+fold. The previous approach concatenated the END marker to the last base64 line, causing "unrecognised raw private key format" errors
mksshkey: Correct ssh-keygen format flag from PKCS8 to PEM for public key conversion
confd:keystore.c: Skip gen_hostkey() when keys are empty to prevent attempting to import invalid PEM files during SR_EV_UPDATE events before keys are populated in the config tree
mksshkey: Convert from bash to POSIX sh (no bashisms were used)
This eliminates the "do_convert_from_pem: unrecognised raw private key format" error messages during system boot and SSH key configuration.
Fixes #1289
Checklist
Tick relevant boxes, this PR is-a or has-a: