Warning: old key(s) found and disabled.

Frank Myhr fmyhr at larkmoor.net
Mon Nov 25 10:35:03 CET 2019 

On 2019/11/25 02:19, Guus Sliepen wrote:
> On Sun, Nov 24, 2019 at 04:52:41PM -0500, Frank Myhr wrote:
> 
>> Well, I goofed and entered the wrong network name while trying to
>> set up keys for a new network:
>> 
>> # tincd -n existing_net -K Generating 2048 bits keys: 
>> ............................................+++++ p 
>> ..................................................................+++++
>> q Done. Please enter a file to save private RSA key to 
>> [/etc/tinc/existing_net/rsa_key.priv]: Warning: old key(s) found
>> and disabled. Please enter a file to save public RSA key to 
>> [/etc/tinc/existing_net/hosts/host_on_existing_net]: ^C
>> 
>> I realized my error when tinc warned me, thus the ^C. Now
>> /etc/tinc/existing_net/rsa_key.priv has been replaced, while 
>> /etc/tinc/existing_net/hosts/host_on_existing_net still contains
>> the old public key.
>> 
>> When tinc says it "disabled" the old key, did it it in fact
>> *delete* it?
> 
> No, it did not. The old key is still in rsa_key.priv, between
> markers that say "BEGIN OLD" and "END OLD". To recover the old key,
> remove the new key (which has been placed after the old one), and
> change the words "OLD" to "RSA".
> 
>> I assume it will lose access when tinc is restarted unless I fix
>> the config.
> 
> Correct. I hope this helps!
Yes! Thank you very much, that helps a lot! tinc's behavior now makes 
good sense. I should have taken a closer look at the old key file, I 
just saw that its modification date and signature had changed, didn't 
think to actually look inside...!


>> Still, I'd prefer tincd to issue a warning and prompt for 
>> confirmation *before* it proceeds to overwrite an existing key.
> 
> It doesn't ever overwrite old keys. And it does print out a warning 
> when it disables an old key. But I can indeed add a prompt in this 
> case that asks whether to update the key files or not.
It's great that tinc doesn't overwrite old keys, thank you very much for 
explaining that. That said, having that prompt would have saved me some 
(more) gray hairs yesterday.

As it was, I finally remembered that the filesystem in question was on 
ZFS. So recovering the old key file was as easy as copying it back from 
a recent snapshot.

Of course if I manage to do this again (!) I'll simply edit the key file 
as you point out.

Thanks!
Frank

More information about the tinc mailing list