once ArubaOS-CX warning syslogging to HPE IMC via vrf mgmt (OoBM) was activated with:
logging ip-of-imc udp severity warning vrf mgmt include-auditable-events
we started receiving the Error "error: Could not load host key: /etc/ssh/ssh_host_dsa_key" from both VSX nodes' sshd daemons.
I checked and, actually, each VSX node has:
so no DSA SSH Key at all.
The sshd_config has:
Aruba-8320-1:~$ grep -i hostkey /etc/ssh/sshd_config
# HostKey for protocol version 1
# HostKeys for protocol version 2
Aruba-8320-1:~$ /usr/sbin/sshd -T |grep hostkey
/etc/ssh/sshd_config line 111: Deprecated option UsePrivilegeSeparation
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_dsa_key
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Could not load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
despite three SSH Keys reported above are available:
Aruba-8320-1:~$ ls -lah /etc/ssh/
drwxr-xr-x 2 root root 240 Nov 6 11:58 .
drwxr-xr-x 67 root root 2.8K Nov 6 11:58 ..
-rw-r--r-- 1 root root 541K Sep 24 14:24 moduli
-rw-r--r-- 1 root root 1.8K Jan 11 15:32 ssh_config
-rw------- 1 root root 227 Nov 6 11:58 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 171 Nov 6 11:58 ssh_host_ecdsa_key.pub
-rw------- 1 root root 399 Nov 6 11:58 ssh_host_ed25519_key
-rw-r--r-- 1 root root 91 Nov 6 11:58 ssh_host_ed25519_key.pub
-rw------- 1 root root 1.7K Nov 6 11:58 ssh_host_rsa_key
-rw-r--r-- 1 root root 391 Nov 6 11:58 ssh_host_rsa_key.pub
-rw-r--r-- 1 root root 3.8K Jan 11 15:32 sshd_config
-rw-r--r-- 1 root root 3.5K Oct 3 20:43 sshd_config_readonly
Any idea how to stop sshd making noise about this missing (DSA) Key?
Let we see if (via start-shell) a:
Aruba-8320-1:~$ sudo /usr/bin/ssh-keygen -A
ssh-keygen: generating new host keys: DSA
does the trick (I suspect related sshd.service needs to be restarted then).
I'm not totally sure that manually generating missing SSH Key is the correct way to fix the Error syslog message we receive...probably - I presume - acting on sshd_config file would be the correct way to proceed.
The generated ssh_host_dsa_key.pub file ends with root@Aruba-8320-1 (which is the actual VSX Member hostname assigned to this Aruba 8320 node): I notice that - instead - three existing Host Keys were generated (automatically) as root@8320 (so when the Aruba 8320 was running with its default configuration). Should these three keys need to be (re)generated?
After a week I can say that, of our VSX, only the Aruba-8320-2 node still reports to IMC two errors in a row:Aruba-8320-1 became silent (no more Errors).
Why that is happening? Is manual DSA Key generation from shell correct?
ask TAC ?
Just for reference, opened Case Id 5336201687 on HPE Networking Portal.
get a reply ?
Hi Alexis, yes...Aruba ERT was able to reproduce the issue.
As workaround they suggested me to use the method I initially described above to quiet remaining Error logs generated by Node 1.
Alteratively the update of ArubaOS-CX to latest 10.02.0010 should fix this strange behaviour because SSH config on that built was modified.
The issue has been fixed with the VSX upgrade to ArubaOS-CX 10.02.0010.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.