0

I have a vanilla install of ubuntu 22.04 with openssh-server installed. /etc/ssh/ssh_host_rsa_key is automatically created. I can "cat" the file to stdout:

b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAsyIRkQsSQqxvrv67Xo9UdbdN+c81KfRS2WzDf8zna1AiYNP1riT+

however it appears I cannot read this file using tools eg:

# openssl rsa -in /etc/ssh/ssh_host_rsa_key -pubout
Could not read private key from /etc/ssh/ssh_host_rsa_key

Everything I read on the net indicates that it should be created without a pass phrase: ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa -b 4096

so I don't understand why this key fails to be read. eg to create new public keys. Hence if I'm creating new self signed certificates, could I ever use this key to create a CSR? The effective result at the moment is that Certificate Signing Requests using Ansible are failing due to Wrong passphrase provided for private key.

- name: Create certificate signing request (CSR) for new certificate
  community.crypto.openssl_csr_pipe:
    privatekey_path: /etc/ssh/ssh_host_rsa_key
    subject_alt_name:
      - "DNS:ubuntu2204.localdomain"
  #delegate_to: ubuntu2204-vm2 -- not required, playbook handles host selection.
  run_once: true
  register: csr
rupert160
  • 133
  • 1
  • 7
  • 1
    According to the [manual](https://man.openbsd.org/ssh-keygen): ***host keys must have an empty passphrase***, so either you or Ubuntu may have done something strange. Regardless you don't use the your default ssh (private) keys for anything other than ssh. And I would generate new private keys when you want to generate CSR's and set up certificates for other services. – Rob Apr 26 '22 at 08:08
  • what's the private key header, i.e. output of `head -n1 /etc/ssh/ssh_host_rsa_key` ? – mforsetti Apr 27 '22 at 06:58

0 Answers0