sshd not providing ecdsa/ed25519 host key algos

Question

we have setup'd a bastion that only responds with the ssh-rsa host key algorithm when querying:

ssh-keyscan bastion.ops.dev.xxx.com

# bastion.ops.dev.xxx.com:22 SSH-2.0-OpenSSH_7.4
# bastion.ops.dev.xxx.com:22 SSH-2.0-OpenSSH_7.4
bastion.ops.dev.xxx.com ssh-rsa AAAAB3Nza...+REOQ8RMWBWH
# bastion.ops.dev.xxx.com:22 SSH-2.0-OpenSSH_7.4
# bastion.ops.dev.xxx.com:22 SSH-2.0-OpenSSH_7.4
# bastion.ops.dev.xxx.com:22 SSH-2.0-OpenSSH_7.4

although the /etc/ssh/sshd_config looks reasonable and contains the following parameters:

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

the keys themselves also look reasonable and have proper permissions.

-rw-r----- 1 root ssh_keys 2602 Mar 15 08:58 ssh_host_ecdsa_key
-rw-r--r-- 1 root root      572 Mar 15 08:58 ssh_host_ecdsa_key.pub
-rw-r----- 1 root ssh_keys  411 Mar 15 08:58 ssh_host_ed25519_key
-rw-r--r-- 1 root root      100 Mar 15 08:58 ssh_host_ed25519_key.pub
-rw-r----- 1 root ssh_keys 1675 Mar 15 08:57 ssh_host_rsa_key
-rw-r--r-- 1 root root      382 Mar 15 08:57 ssh_host_rsa_key.pub

checking the keys

ssh-keygen -y -e -f ssh_host_ecdsa_key

Comment: "3072-bit RSA, converted by root@xxx"
AAAAB3....
---- END SSH2 PUBLIC KEY ----

(is RSA correct for an ECDSA key??)

and

ssh-keygen -y -e -f ssh_host_ed25519_key

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "256-bit ED25519, converted by root@xxx"
AAAAC.../keIIubitK
---- END SSH2 PUBLIC KEY ----

i checked systemctl status sshd which yields errors though:

Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal systemd[1]: Stopping OpenSSH server daemon...
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal sshd[1183]: Received signal 15; terminating.
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal systemd[1]: Stopped OpenSSH server daemon.
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal systemd[1]: Starting OpenSSH server daemon...
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal sshd[5216]: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal sshd[5216]: Server listening on 0.0.0.0 port 22.
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal sshd[5216]: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal sshd[5216]: Server listening on :: port 22.
Mar 15 09:56:04 ip-xxx.eu-central-1.compute.internal systemd[1]: Started OpenSSH server daemon.
Mar 15 09:56:10 ip-xxx.eu-central-1.compute.internal sshd[5218]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

how can i track those down?

Answer 1

it turned out our private-key files were missing proper newlines, thus were invalid. best way to verify: ssh-keygen -y -f ssh_host_ed25519_key