I was playing around with my apache settings yesterday, and decided to ditch what I had and checkout what was in master in etckeeper with etckeeper vcs checkout HEAD.
After that, I couldn’t log in to my server again with ssh:
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
Connection closed by IP-ADDRESS
I thought it was strange.
After getting the logwatch mail, I got these error messages in the log:
error: key_load_private: bad permissions : 58 time(s)
error: Could not load host key: /etc/ssh/ssh_host_rsa_key : 29 time(s)
error: Permissions 0644 for '/etc/ssh/ssh_host_dsa_key' are too open. : 29 time(s)
error: It is recommended that your private key files are NOT accessible by others. : 58 time(s)
error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ : 116 time(s)
fatal: No supported key exchange algorithms [preauth] : 29 time(s)
error: This private key will be ignored. : 58 time(s)
error: Permissions 0644 for '/etc/ssh/ssh_host_rsa_key' are too open. : 29 time(s)
error: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ : 58 time(s)
error: Could not load host key: /etc/ssh/ssh_host_dsa_key : 29 time(s)
So, something had changed the permissions to /etc/ssh/ssh_host_dsa_key. First I though: “Damn, have I been rooted now? That is just fair with my previous bad password policy”.
Then I gave it more thought, and remembered my restoring with etckeeper. I searched and found this question.
Looks like you need to run etckeeper init after checking out.
The problem now, because the server is far away from me, is to get somebody technical to connect a screen and keyboard to the computer and follow my instructions.
EDIT: etckeeper init was not enough. It didn’t restore the file permissions. I wonder how many other files have wrecked file permissions now :/