Page MenuHomeVyOS Platform
Create Task
Maniphest T5455

SSH fingerprints aren't migrated to the new image on upgrade
Open, NormalPublicBUG
Actions

Description

When upgrading a VyOS installation by using "add system image" there is a part that migrates current configuration and SSH keys like so:

Installing "1.4-rolling-202308060317" image.
Copying new release files...
Would you like to save the current configuration 
directory and config file? (Yes/No) [Yes]: 
Copying current configuration...
Would you like to save the SSH host keys from your 
current configuration? (Yes/No) [Yes]: 
Copying SSH keys...
Running post-install script...
Setting up grub configuration...
Done.

However already learned and verified fingerprints of SSH hosts are not migrated which means that after an upgrade using "add system image" and reboot you must verifiy and approve SSH fingerprints again:

The authenticity of host '<REMOVED> (<REMOVED>)' can't be established.
<REMOVED> key fingerprint is <REMOVED>.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '<REMOVED>' (<REMOVED>) to the list of known hosts.
<REMOVED>@<REMOVED>'s password:

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202308060317
Why the issue appeared?
Design mistake
Is it a breaking change?
Perfectly compatible
Issue type
Improvement (missing useful functionality)

Related Objects
Search...

Event Timeline

Apachez created this task.Aug 10 2023, 7:15 AM
pasik subscribed.Aug 10 2023, 8:27 AM
Viacheslav subscribed.Sep 5 2023, 2:12 PM

It only saves the SSH keys https://github.com/vyos/vyatta-cfg-system/blob/c2d9dea2524297404fb27028c1f41124dc47c24f/scripts/install/install-image-existing#L223-L231

Apachez added a comment.Sep 6 2023, 3:25 PM

So what needs to be done is to copy that block and make a separate question regarding:

Would you like to save the SSH known hosts (fingerprints)
from your current configuration? (Yes/No) [Yes]:

And if "Yes" then copy both /root/.ssh/known_hosts and /home/<username>/.ssh/known_hosts to the new persistence directory of each user.

yun subscribed.Sep 14 2023, 10:57 AM

Would also be nice to include the global known_hosts file in /etc/ssh/ssh_known_hosts.

gmurphy42 mentioned this in T5652: Config migrate to image upgrade does not properly generate home directory.Oct 12 2023, 5:56 PM
I-n-d-y subscribed.Oct 14 2023, 4:51 PM
Viacheslav triaged this task as Normal priority.Jan 20 2024, 1:01 PM
Viacheslav added a parent task: T6279: The root task for copying SSH keys and files from the home directory to use between updates.Apr 29 2024, 6:24 AM
syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta.May 7 2024, 8:02 AM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.1); removed VyOS 1.4 Sagitta (1.4.0-GA).Jul 2 2024, 7:29 PM
dmbaturin renamed this task from SSH fingerprints isnt migrated during add system image to SSH fingerprints aren't migrated to the new image on upgrade.Jul 3 2024, 1:06 PM
dmbaturin changed Why the issue appeared? from Will be filled on close to Design mistake.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.