Troubleshooting
Problem
The following error message occurs when the sshd service fails to start.
"Permissions 0604 for /etc/ssh/ssh_host_xxxx_key are too open"
"Permissions 0604 for /etc/ssh/ssh_host_xxxx_key are too open"
This technote explains the steps to diagnose and resolve the sshd issue.
Cause
The ssh is not taken to the affected host (mostly for the console) as a permission issue for the suspected private keys.
Diagnosing The Problem
This error can occur when sshd service is not in a running state.
Verify the status of the sshd service by running the following command:
systemctl status sshd
Sample output
[root@xxxx.xxx.xxx ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Thu 2023-06-08 02:12:33 EDT; 25s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 9954 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=1/FAILURE)
Main PID: 9954 (code=exited, status=1/FAILURE)
x.x.x sshd[9954]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
x.x.x sshd[9954]: Permissions 0604 for '/etc/ssh/ssh_host_ed25519_key' are too open.
x.x.x sshd[9954]: It is required that your private key files are NOT accessible by others.
x.x.x sshd[9954]: This private key will be ignored.
x.x.x sshd[9954]: key_load_private: bad permissions
x.x.x sshd[9954]: Could not load host key: /etc/ssh/ssh_host_ed25519_key
x.x.x sshd[9954]: sshd: no hostkeys available -- exiting.
x.x.x systemd[1]: Failed to start OpenSSH server daemon.
x.x.x systemd[1]: Unit sshd.service entered failed state.
x.x.x systemd[1]: sshd.service failed.
If you check the journalctl log, the same error is displayed for the following 3 private keys:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
journalctl -u sshd
Sample output
x.x.x systemd[1]: sshd.service failed.
x.x.x systemd[1]: sshd.service holdoff time over, scheduling restart.
x.x.x systemd[1]: Stopped OpenSSH server daemon.
x.x.x systemd[1]: Starting OpenSSH server daemon...
x.x.x sshd[743]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
x.x.x sshd[743]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
x.x.x sshd[743]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
x.x.x sshd[743]: Permissions 0604 for '/etc/ssh/ssh_host_rsa_key' are too open.
x.x.x sshd[743]: It is required that your private key files are NOT accessible by others.
x.x.x sshd[743]: This private key will be ignored.
x.x.x sshd[743]: key_load_private: bad permissions
x.x.x systemd[1]: sshd.service: main process exited, code=exited, status=1/FAILURE
x.x.x sshd[743]: Could not load host key: /etc/ssh/ssh_host_rsa_key
x.x.x sshd[743]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
x.x.x sshd[743]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
x.x.x sshd[743]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
x.x.x sshd[743]: Permissions 0604 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
x.x.x sshd[743]: It is required that your private key files are NOT accessible by others.
x.x.x sshd[743]: This private key will be ignored.
x.x.x sshd[743]: key_load_private: bad permissions
x.x.x sshd[743]: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
x.x.x sshd[743]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
x.x.x sshd[743]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
x.x.x sshd[743]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
x.x.x sshd[743]: Permissions 0604 for '/etc/ssh/ssh_host_ed25519_key' are too open.
x.x.x sshd[743]: It is required that your private key files are NOT accessible by others.
x.x.x sshd[743]: This private key will be ignored.
x.x.x sshd[743]: key_load_private: bad permissions
x.x.x sshd[743]: Could not load host key: /etc/ssh/ssh_host_ed25519_key
x.x.x sshd[743]: sshd: no hostkeys available -- exiting.
x.x.x systemd[1]: Failed to start OpenSSH server daemon.
x.x.x systemd[1]: Unit sshd.service entered failed state.
x.x.x systemd[1]: sshd.service failed.
Resolving The Problem
To resolve keys are too open issue, you need to provide the required permission to private key files, and the owner must be root: root.
Procedure
- Log in to the QRadar console as the root user.
- Assign the required permissions.
- If you want, the keys can be read-writable only by you.
chmod 600 /etc/ssh/ssh_host_ed25519_key chmod 600 /etc/ssh/ssh_host_ecdsa_key chmod 600 /etc/ssh/ssh_host_rsa_key - Alternatively, you can assign the following permission:
Note: If you want, the keys can be only readable by you. It blocks your write access.chmod 400 /etc/ssh/ssh_host_ed25519_key chmod 400 /etc/ssh/ssh_host_ecdsa_key chmod 400 /etc/ssh/ssh_host_rsa_key
Result
After you assign the required permissions, the service starts, and the error is resolved.
After you assign the required permissions, the service starts, and the error is resolved.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS012772811","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
25 October 2023
UID
ibm17001783