raspi-config SSH Error

Earlier this afternoon I was configuring a Raspberry Pi 2 using raspi-config on the most recent version of Raspbian. When I went to the Advanced Options menu and selected the option enable or disable SSH access I saw this error.

SSH error in raspi-config

raspi-config error

Then when I selected “<Ok>” I saw another message.

raspi-config error #2

raspi-config error #2

I did a quick search online and found quite a few posts where others have experienced this error. Sadly, the answer was buried way down in the comments if a solution was offered at all. The solutions I saw worked but didn’t fully explain what the problem was nor the root cause.

What causes the error to be displayed?

raspi-config is a shell script so I dug into the code to see what condition it is looking for. Here is the function that handles enabling and disabling of SSH.

01: do_ssh() {
02:   if [ -e /var/log/regen_ssh_keys.log ] && ! grep -q "^finished" /var/log/regen_ssh_keys.log; then
03:     whiptail --msgbox "Initial ssh key generation still running. Please wait and try again." 20 60 2
04:     return 1
05:   fi
06:   whiptail --yesno "Would you like the SSH server enabled or disabled?" 20 60 2 \
07:     --yes-button Enable --no-button Disable
08:   RET=$?
09:   if [ $RET -eq 0 ]; then
10:     update-rc.d ssh enable &&
11:     update-rc.d ssh start &&
12:     whiptail --msgbox "SSH server enabled" 20 60 1
13:   elif [ $RET -eq 1 ]; then
14:     update-rc.d ssh disable &&
15:     whiptail --msgbox "SSH server disabled" 20 60 1
16:   else
17:     return $RET
18:   fi
19: }

Line 3 displays the error message. Line 2 above it sets the condition for its use. Line 2 first checks to see if the file /var/log/regen_ssh_keys.log exists and then it checks to see if there is a line in the file that starts with the word “finished“. If either of those checks fails then the error is displayed and you are returned out to the main raspi-config menu. In my case, the file existed and had a single line entry but it did not contain the word “finished“.

The quick and easy way to take care of the error message (in my case) would be to edit the file and add a single line saying “finished“. I did that and tested to make sure it worked and it did. However, that is only half of the best solution.

The regen_ssh_key.log file is created during the first boot of a newly installed system and once new SSH keys are generated that process writes “finished” to the log file. In my case, I had interrupted the process during the first boot of the system. When I booted the system again I encountered the “still running” message when I went to enable SSH. When I did that, the system had not yet generated a new set of keys for SSH. I took a look in the /etc/ssh directory and found that the key files were dated back in May.

pi@raspberrypi /etc/ssh $ ls -l *key*
-rw------- 1 root root  668 May  6 18:29 ssh_host_dsa_key
-rw-r--r-- 1 root root  606 May  6 18:29 ssh_host_dsa_key.pub
-rw------- 1 root root  227 May  6 18:30 ssh_host_ecdsa_key
-rw-r--r-- 1 root root  178 May  6 18:30 ssh_host_ecdsa_key.pub
-rw------- 1 root root 1679 May  6 18:30 ssh_host_rsa_key
-rw-r--r-- 1 root root  398 May  6 18:30 ssh_host_rsa_key.pub
pi@raspberrypi /etc/ssh $ 

These are the keys that were generated when the final touches were placed on the 2015-05-05 release of Raspbian Wheezy. Since it is bad security practice to re-use SSH host keys across multiple systems, these keys need to be regenerated.

To recreate all three keys (RSA, DSA, ECDSA) at once, use the following command.

for i in rsa dsa ecdsa ; do sudo ssh-keygen -t ${i} -N "" -f /etc/ssh/ssh_host_${i}_key ; done

You will then need to restart your SSH service in order for the new keys to be read and used.

sudo service ssh restart

If this post has been helpful to you, please leave a comment below.

Keith

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s