Sshd Can't Load Host Key



  • This log message is generated every time connection via ssh (connection is successful).

    error: Could not load host key: /etc/ssh/ssh_host_dsa_key

    The file is not there.


  • Rebel Alliance Developer Netgate

    Is there a /etc/ssh/ssh_host_dsa_key.pub file? If so, remove it. We don't create DSA keys any longer, so I wouldn't expect that to toss an error.

    It should only have those if they were there from 2.2.x.

    On 2.3 it should only make RSA, ECDSA, and ED25519.



  • There is no dsa files.  Only the rsa, ecdsa, and ed2519 files.  This is a fresh 2.3 install so nothing from 2.2.x.

    Every time I connect it logs the error about not being able to load the host key: ssh_host_dsa_key.  Then accepts the connection.

    
    Accepted publickey for root from 192.168.2.21 port 63937 ssh2: RSA SHA256:+iLjwFiey...
    
    

  • Rebel Alliance Developer Netgate

    Are you sure the message is coming from the server and not the client? Maybe the client is requesting the DSA key specifically?
    What client is it?



  • I'm seeing the same thing and am also on a fresh install, sort of, upgraded from RC which was installed a couple of days back but been seeing this all the time from the fresh install.


  • Rebel Alliance Developer Netgate

    So is the message displayed to the SSH client, put in the system log on the server? Somewhere else? It's not been clearly stated where the error is shown.



  • @jimp:

    So is the message displayed to the SSH client, put in the system log on the server? Somewhere else? It's not been clearly stated where the error is shown.

    It's in the systemlog of pfSense.

    
    Apr 13 07:48:14	sshd	40540	Accepted keyboard-interactive/pam for admin from 192.168.1.100 port 49169 ssh2
    Apr 13 07:48:08	sshd	40540	error: Could not load host key: /etc/ssh/ssh_host_dsa_key
    
    

  • Rebel Alliance Developer Netgate

    Ah, ok. I was thinking it was shown on the client. I do see that in the system log on at least one of mine. Seems harmless but annoying. I know we disabled generation of DSA keys, but for some reason sshd is still trying to read them.
    Probably worth opening a redmine ticket for.





  • Hello

    I have the same log:

    May 4 13:46:58 sshd 80914 Accepted password for root from 10.168.0.10 port 56527 ssh2
    May 4 13:46:57 sshd 80914 error: Could not load host key: /etc/ssh/ssh_host_dsa_key
    May 4 13:46:57 sshd 68220 Accepted password for root from 10.168.0.10 port 56526 ssh2
    May 4 13:46:50 sshd 68220 error: Could not load host key: /etc/ssh/ssh_host_dsa_key
    May 4 13:46:48 sshd 81132 Disconnected from 10.168.0.10 port 55951
    May 4 13:46:48 sshd 81132 Received disconnect from 10.168.0.10 port 55951:11: disconnected by user
    May 4 13:43:25 sshd 21426 Accepted password for root from 10.168.0.10 port 56514 ssh2
    May 4 13:43:25 sshd 21426 error: Could not load host key: /etc/ssh/ssh_host_dsa_key
    May 4 13:42:08 sshd 86408 Accepted password for root from 10.168.0.10 port 56511 ssh2
    May 4 13:42:07 sshd 86408 error: Could not load host key: /etc/ssh/ssh_host_dsa_key
    May 4 13:22:52 sshd 60475 Accepted password for root from 10.168.0.10 port 56455 ssh2
    May 4 13:22:52 sshd 60475 error: Could not load host key: /etc/ssh/ssh_host_dsa_key
    May 4 13:20:32 sshd 16348 Accepted password for root from 10.168.0.10 port 56450 ssh2
    May 4 13:20:31 sshd 16348 error: Could not load host key: /etc/ssh/ssh_host_dsa_key
    May 4 13:17:14 sshd 62619 Accepted password for root from 10.168.0.10 port 56442 ssh2
    May 4 13:17:14 sshd 62619 error: Could not load host key: /etc/ssh/ssh_host_dsa_key
    May 4 13:15:10 sshd 43987 Accepted password for root from 10.168.0.10 port 56440 ssh2
    May 4 13:15:09 sshd 43987 error: Could not load host key: /etc/ssh/ssh_host_dsa_key
    May 4 13:11:22 sshd 43956 Accepted password for root from 10.168.0.10 port 56427 ssh2
    May 4 13:11:22 sshd 43956 error: Could not load host key: /etc/ssh/ssh_host_dsa_key
    May 4 13:10:52 sshd 87366 Accepted password for root from 10.168.0.10 port 56425 ssh2
    May 4 13:10:51 sshd 87366 error: Could not load host key: /etc/ssh/ssh_host_dsa_key
    May 4 13:06:39 sshd 53397 Accepted password for root from 10.168.0.10 port 56408 ssh2
    May 4 13:06:39 sshd 53397 error: Could not load host key: /etc/ssh/ssh_host_dsa_key
    May 4 13:06:02 sshd 89698 Accepted password for root from 10.168.0.10 port 56407 ssh2
    May 4 13:06:02 sshd 89698 error: Could not load host key: /etc/ssh/ssh_host_dsa_key
    May 4 13:04:14 sshd 97231 Accepted password for root from 10.168.0.10 port 56399 ssh2
    May 4 13:04:13 sshd 97231 error: Could not load host key: /etc/ssh/ssh_host_dsa_key

    I have pfSense 2.3 (2.3_1) amd64 and its a fresh installation.

    My ssh client is MobaXterm (based in putty)

    But the ssh connections works fine to me.

    Regards.


  • LAYER 8 Global Moderator

    I am not seeing any such entries.. Just logs that it accepted my public key

    But I do have the key which would explain why no error ;)
    -rw–-----  1 root  wheel    668 Dec 23  2014 ssh_host_dsa_key
    -rw-r--r--  1 root  wheel    612 Dec 23  2014 ssh_host_dsa_key.pub

    This is on an upgraded system running 2.3 that had been upgraded a few times I believe from previous 2.2.x versions.. I would assume those keys were done back before removed the generation of the keys..




  • I believe the fix for this is in 2.3.1.  I't may be in one of git commits for 2.3 also.  Don't recall for sure, but pretty sure it's been fixed.

    Bug Report:
    https://redmine.pfsense.org/issues/6143

    Fix Commit:
    https://github.com/pfsense/pfsense/pull/2874



  • Yeah it's fixed for 2.3.1. Just log spam, not hurting anything.


Log in to reply