can't start sshd. Error is "Generating SSH1 RSA host key [FAILED]

ryannlinux · 03-19-2009, 02:39 AM

fedora 10:

I can't start sshd, any ideas guys?

$service sshd start
Generating SSH1 RSA Host key [FAILED]

no instance of sshd is running yet. Thanks.

unSpawn · 03-19-2009, 04:13 AM

Do your system logs hold any information? If not, does checking /etc/init.d/sshd and running startup commands manually from the CLI show any info?

linuxlover.chaitanya · 03-19-2009, 05:12 AM

I guess the services are to be started as root on root as on RH. The $ says you are not.

unSpawn · 03-19-2009, 04:29 PM

Quote:

Originally Posted by linuxlover.chaitanya

The $ says you are not.

Missed that. Good one!

ryannlinux · 03-20-2009, 12:34 AM

Thanks. I tried as root but got the same result. Checking /var/log/messages showed below:

SELinux is prventing ssh-keygen (ssh_keygen_t) "read" to libgssapi_krb5.so.2

Not really sure how to control SELinux from CLI

ryannlinux · 03-20-2009, 12:42 AM

I gave this option a try and it worked

as root:
#setenforce Permissive
#/etc/init.d/sshd start
Generating SSH1 RSA host key: [OK]
Generating SSH2 RSA host key: [OK]
Generating SSH3 RSA host key: [OK]
#setenforce Enforcing -> switched SELinux back to enforcing

Pros and cons to this approach? Thanks.

linuxlover.chaitanya · 03-20-2009, 12:57 AM

SELinux is a another thing that is used to enhance the security of system. By default it will operate in enforced mode so that it is active and will not allow certain or all services.
You can either turn it off completely by editing the file /etc/selinux/config file.

jschiwal · 03-20-2009, 01:11 AM

Or you can copy the selinux audit (open up the alert on the desktop & highlight & copy the audit info at the bottom), save it to a file (e.g. cat >sshpol, then press CTRL-v to paste it & CTRL-D) and then run:

audit2allow -M sshpol
sudo semodule -i sshpol.pp

Here is a good blog about it:
http://danwalsh.livejournal.com/24750.html

Did any one else note the ironic humor in suggesting disabling selinux protection to run the secure shell server?

unSpawn · 03-20-2009, 03:15 AM

Quote:

Originally Posted by linuxlover.chaitanya

You can either turn it off completely by editing the file /etc/selinux/config file.

Not only is the sentence wonky, the advice is bad. First work on fixing things before you decide to "just drop" a layer of security. If you don't know how either read up on it (search LQ) or please refrain from telling people to "just disable" it.

linuxlover.chaitanya · 03-20-2009, 03:42 AM

No I am not telling him to do that. Just something that can be done. That does not mean that it should be done. That sentence has really got misinterpreted badly. The advice was not to disable the selinux. It was an information that it could be done if OP ever needs to do that not only for this case but in future if he need to for something else where server or the system could not be too prone to attacks due to either firewalls or for the reason that it is not connected to outer world.
Please do not misread it and if it reads like that then it does not mean what it looks like.