Page MenuHomeVyOS Platform
Create Task
Maniphest T6275

Carry over SSH keys between images on upgrades
Open, HighPublicBUG
Actions

Description

Turns out that SSH-keys (public keys from approved servers) in the home-directories are not included when VyOS is updated according to forum post over at:

https://forum.vyos.io/t/question-about-saving-ssh-keys/14339

A workaround would be to place the keys in /config/backupssh or such, make sure to give proper permissions to that directory and the files.

Then in /config/scripts/vyos-postconfig-bootup.script add commands to create a symlink from the current home directory to the physical files found in /config/backupssh.

This way next time the system is updated the keys will follow to the updated version and the vyos-postconfig-bootup.script will make sure the SSH-keys will get symlinked from the home directory.

User didnt return with from which to which version of VyOS this occurs but states that:

It’s been a forever problem. I’ve been running rolling releases for the past six months, and it’s always had the same behavior with regard to SSH keys when upgrading.

Details

Version
1.5-rolling-202404250020
Is it a breaking change?
Perfectly compatible

Related Objects
Search...

Event Timeline

Apachez created this task.Apr 28 2024, 3:30 PM
pasik subscribed.Apr 28 2024, 3:34 PM
syncer subscribed.Apr 28 2024, 3:38 PM

we talking about athorized_keys or known_hosts?

kmadaras subscribed.Apr 28 2024, 5:45 PM

This would be the key's themselves and known_hosts, stored in the non-root user folder. The prompt during upgrade seems to indicate it'll copy them over. However, whenever I upgrade, I have to manually perform ssh-keygen and ssh-copy-id again for my backup server to allow my config backup to work.

syncer added a subscriber: Viacheslav.Apr 28 2024, 10:53 PM

@Viacheslav can you create root task maybe and we consolidate related tasks under it

Viacheslav added a comment.Apr 29 2024, 6:12 AM

It is not a bug but a feature request.
Only keys in /etc/ssh are copied. The keys in the home user directory were never copied.

kmadaras added a comment.EditedApr 29 2024, 6:17 AM

I disagree, being that there's a command and associated config entry to backup config to a remote ssh server. This config option requires key based authentication. It would seem that the backup function puts this in- scope as a bug. Everyone who uses the remote configuration backup to an external ssh box is affected.

Viacheslav added a parent task: T6279: The root task for copying SSH keys and files from the home directory to use between updates.Apr 29 2024, 6:22 AM
Viacheslav added a comment.Apr 29 2024, 6:29 AM

The bug means the feature is implemented but works with issues, but this functionality has never been implemented :)
I created a root task T6279, and several similar/related subtasks.

kmadaras added a comment.Apr 29 2024, 6:38 AM

It seems like if there's an option to use remote backup in the config, yet the keys get erased every time it's upgraded that would be a bug. However , I am new to dev on VYOS, so classify it as makes sense for the team and I'll hope it get implemented at some point. 👍

dmbaturin triaged this task as Normal priority.Apr 29 2024, 7:58 AM
dmbaturin added a project: Bugs.Sep 15 2024, 5:03 PM
syncer raised the priority of this task from Normal to High.Oct 28 2024, 5:55 AM
syncer edited projects, added VyOS Rolling; removed VyOS 1.5 Circinus.
dmbaturin renamed this task from SSH-keys from home-directory are not included during an update to Carry over SSH keys between images on upgrades.Oct 28 2024, 9:48 AM
dmbaturin removed a project: Bugs.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Bug (incorrect behavior) to improvement.
syncer added a subscriber: Global Notifications.Nov 1 2024, 9:16 PM