Wired Intelligent Edge

Hello,

once ArubaOS-CX warning syslogging to HPE IMC via vrf mgmt (OoBM) was activated with:

logging ip-of-imc udp severity warning vrf mgmt include-auditable-events

we started receiving the Error "error: Could not load host key: /etc/ssh/ssh_host_dsa_key" from both VSX nodes' sshd daemons.

I checked and, actually, each VSX node has:

• ECDSA SSH host key
• ED25519 SSH host key
• RSA SSH Host key

so no DSA SSH Key at all.

The sshd_config has:

Aruba-8320-1:~$ grep -i hostkey /etc/ssh/sshd_config
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

and:

Aruba-8320-1:~$ /usr/sbin/sshd -T |grep hostkey
/etc/ssh/sshd_config line 111: Deprecated option UsePrivilegeSeparation
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_dsa_key
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Could not load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.

despite three SSH Keys reported above are available:

Aruba-8320-1:~$ ls -lah /etc/ssh/
total 580K
drwxr-xr-x  2 root root  240 Nov  6 11:58 .
drwxr-xr-x 67 root root 2.8K Nov  6 11:58 ..
-rw-r--r--  1 root root 541K Sep 24 14:24 moduli
-rw-r--r--  1 root root 1.8K Jan 11 15:32 ssh_config
-rw-------  1 root root  227 Nov  6 11:58 ssh_host_ecdsa_key
-rw-r--r--  1 root root  171 Nov  6 11:58 ssh_host_ecdsa_key.pub
-rw-------  1 root root  399 Nov  6 11:58 ssh_host_ed25519_key
-rw-r--r--  1 root root   91 Nov  6 11:58 ssh_host_ed25519_key.pub
-rw-------  1 root root 1.7K Nov  6 11:58 ssh_host_rsa_key
-rw-r--r--  1 root root  391 Nov  6 11:58 ssh_host_rsa_key.pub
-rw-r--r--  1 root root 3.8K Jan 11 15:32 sshd_config
-rw-r--r--  1 root root 3.5K Oct  3 20:43 sshd_config_readonly

 Any idea how to stop sshd making noise about this missing (DSA) Key?

Let we see if (via start-shell) a:

Aruba-8320-1:~$ sudo /usr/bin/ssh-keygen -A
ssh-keygen: generating new host keys: DSA

does the trick (I suspect related sshd.service needs to be restarted then).

I'm not totally sure that manually generating missing SSH Key is the correct way to fix the Error syslog message we receive...probably - I presume - acting on sshd_config file would be the correct way to proceed.

The generated ssh_host_dsa_key.pub file ends with root@Aruba-8320-1 (which is the actual VSX Member hostname assigned to this Aruba 8320 node): I notice that - instead - three existing Host Keys were generated (automatically) as root@8320 (so when the Aruba 8320 was running with its default configuration). Should these three keys need to be (re)generated?

After a week I can say that, of our VSX, only the Aruba-8320-2 node still reports to IMC two errors in a row:Aruba-8320-1 became silent (no more Errors).

Why that is happening? Is manual DSA Key generation from shell correct?

Any idea?

ask TAC ?

Just for reference, opened Case Id 5336201687 on HPE Networking Portal.

get a reply ?

Hi Alexis, yes...Aruba ERT was able to reproduce the issue.

As workaround they suggested me to use the method I initially described above to quiet remaining Error logs generated by Node 1.

Alteratively the update of ArubaOS-CX to latest 10.02.0010 should fix this strange behaviour because SSH config on that built was modified.

The issue has been fixed with the VSX upgrade to ArubaOS-CX 10.02.0010.