Page MenuHomeVyOS Platform
Create Task
Maniphest T5455

SSH fingerprints aren't migrated to the new image on upgrade
Open, HighPublicBUG
Actions

Description

When upgrading a VyOS installation by using "add system image" there is a part that migrates current configuration and SSH keys like so:

Installing "1.4-rolling-202308060317" image.
Copying new release files...
Would you like to save the current configuration 
directory and config file? (Yes/No) [Yes]: 
Copying current configuration...
Would you like to save the SSH host keys from your 
current configuration? (Yes/No) [Yes]: 
Copying SSH keys...
Running post-install script...
Setting up grub configuration...
Done.

However already learned and verified fingerprints of SSH hosts are not migrated which means that after an upgrade using "add system image" and reboot you must verifiy and approve SSH fingerprints again:

The authenticity of host '<REMOVED> (<REMOVED>)' can't be established.
<REMOVED> key fingerprint is <REMOVED>.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '<REMOVED>' (<REMOVED>) to the list of known hosts.
<REMOVED>@<REMOVED>'s password:

Details

Version
VyOS 1.4-rolling-202308060317
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects
Search...

Event Timeline

Apachez created this task.Aug 10 2023, 7:15 AM
pasik subscribed.Aug 10 2023, 8:27 AM
Viacheslav subscribed.Sep 5 2023, 2:12 PM

It only saves the SSH keys https://github.com/vyos/vyatta-cfg-system/blob/c2d9dea2524297404fb27028c1f41124dc47c24f/scripts/install/install-image-existing#L223-L231

Apachez added a comment.Sep 6 2023, 3:25 PM

So what needs to be done is to copy that block and make a separate question regarding:

Would you like to save the SSH known hosts (fingerprints)
from your current configuration? (Yes/No) [Yes]:

And if "Yes" then copy both /root/.ssh/known_hosts and /home/<username>/.ssh/known_hosts to the new persistence directory of each user.

yun subscribed.Sep 14 2023, 10:57 AM

Would also be nice to include the global known_hosts file in /etc/ssh/ssh_known_hosts.

gmurphy42 mentioned this in T5652: Config migrate to image upgrade does not properly generate home directory.Oct 12 2023, 5:56 PM
I-n-d-y subscribed.Oct 14 2023, 4:51 PM
Viacheslav triaged this task as Normal priority.Jan 20 2024, 1:01 PM
Viacheslav added a parent task: T6279: The root task for copying SSH keys and files from the home directory to use between updates.Apr 29 2024, 6:24 AM
syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta.May 7 2024, 8:02 AM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.1); removed VyOS 1.4 Sagitta (1.4.0-GA).Jul 2 2024, 7:29 PM
dmbaturin renamed this task from SSH fingerprints isnt migrated during add system image to SSH fingerprints aren't migrated to the new image on upgrade.Jul 3 2024, 1:06 PM
dmbaturin edited a custom field.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
syncer raised the priority of this task from Normal to High.Oct 28 2024, 5:55 AM
syncer edited projects, added VyOS Rolling; removed VyOS 1.4 Sagitta (1.4.1).
syncer moved this task from Need Triage to Backlog - Bug on the VyOS Rolling board.Oct 30 2024, 7:29 PM
syncer added a subscriber: Global Notifications.Nov 1 2024, 9:16 PM
dmbaturin added a project: Restricted Project.Feb 6 2025, 12:18 AM
dmbaturin changed Issue type from improvement to Feature (new functionality).