SSHD failed to start

KrypticKahos

@manicmoose
It was obvious that the cert was expired, just didn't think it would have anything to do with ssh key generation. I also incorrectly assumed it was from an old cert when I was playing with the acme plugin.

It's still weird I was able to start ssh from command prompt, and it gave a the missing key error, but either way I'm glad its working now.

stephenw10

Mmm, that is weird. I can't really see how an expired cert would affect that. I'll see if I can replicate it.

Steve

KrypticKahos

@stephenw10
One final piece of information that may help with the actual root cause of the issue. When troubleshooting I also found an old static IP entry on LAN for the device I was using as my firewall. This was an old entry from when I was using a different firewall and had this device on the network. During the time of getting the fix working I also deleted the static IP entry, but it didn't immediately resolve the issue so I didn't think it was the solution but it might have been.

I attempted further testing by restoring to the old config that had the static IP as well as the expired self signed cert (I didn't perform a clean install this time). At reboot after restoring with both issues sshd worked correctly.

So this may actually be related to the static IP entry but only manifests after a clean install and restore. If I get some time in the future I may attempt a clean install again but as of current this is the best info I have.

As an extra point the firewall I'm using is a dual Ethernet port device, with non-switched ports. I'm not sure if the WAN or LAN port was assigned the static IP, but it was one of them.

lxndrp

@stephenw10 @manicmoose

I have the impression that we have several issues that somehow interact here.

First, it seems that (for our systems) after an upgrade from 2.5.2 to 2.6, SSH host keys get lost. I have verified this for my installation (with a clean install) already.

Second, a re-install from USB (with config.xml recovery from disk) has the same issue. I have verified this as well: A manual backup of the config.xml before doing the reinstall has the keys; after the reinstall, they seem to be lost.

Third, although keys are in place (e.g. by running

ssh-keygen -A

from the Diagnostics/Command Prompt), sshd fails to start (logs look ok, Status/Services indicates a red X, running

ssh admin@pfsense

against the pfSense host times out.

However, when running

/usr/sbin/sshd

from the Diagnostics/Command Prompt manually, it seems to start fine (no output at all), and sshing into the machine works fine.

After rebooting a few times (usually once doesn't suffice), sshd seems to start normally.

Let me know if I can provide you with additional information (logs etc.); I am happy to help.

stephenw10

Hmm, ssh keys certainly shouldn't be lost at upgrade.

Storing of SSH keys in the config is new in 22.01/2.6 so if you are restoring a backup from 2.5.2 the keys would not be restored.

You see any errors when restoring a 2.6 config into 2.6?

Steve

lxndrp

@stephenw10 I only tried from 22.01 to 2.6.0; there, the same issue appears.