I cloned a server and so they've the same RSA key fingerprint.
It seems to be defined in /etc/ssh/ssh_host_rsa_key.pub.
What is the correct way to change that?
Thanks.
asked Jan 22, 2013 at 10:24
Add a comment
|
8 Answers
Or, remove keys and
ssh-keygen -A
Explanation:
-A: For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This is used by /etc/rc to generate new host keys.
-
The OP's tags specify debian, but being non platform specific, this answer seems like the better solution.– mc0eCommented Oct 31, 2014 at 14:00
-
Hmm, except it doesn't seem to work for older versions. Eg fails on debian squeeze, which has OpenSSH_5.5p1– mc0eCommented Oct 31, 2014 at 14:39
-
1For your information (from manpagez.com/man/1/ssh-keygen)
ssh-keygen -Adoes the following: "For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This is used by /etc/rc to generate new host keys." Commented Feb 10, 2015 at 20:42
Follow these steps to regenerate OpenSSH Host Keys
- Delete old ssh host keys:
rm /etc/ssh/ssh_host_* - Reconfigure OpenSSH Server:
dpkg-reconfigure openssh-server - Update all ssh client(s)
~/.ssh/known_hostsfiles
answered Jan 22, 2013 at 10:41
For a generic method of doing this:
ssh-keygen -q -N "" -t dsa -f /etc/ssh/ssh_host_dsa_key
ssh-keygen -q -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -q -N "" -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
ssh-keygen -q -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
mix and match according to the keys your version of OpenSSH supports. Current implementations commonly generate only rsa, ecdsa & ed25519.
Do note that that the -b argument can be used in (most) cases to specify key size.
You should pick a key-size appropriate for the intended lifetime of the key and the amount of time you find acceptable to open a connection as the impact will be more pronounced on slower hardware. For example, using the default RSA key size (2048 at the time of writing) is absolutely fine (again, as of the time of writing) if you're rolling the key over periodically.
-
1I think one way to improve this question would be to add the way to increase the number of bits. i.e.
ssh-keygen -q -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key– WhitecatCommented Apr 7, 2016 at 17:18 -
ecdsadefault is 256. Usessh-keygen -q -N "" -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_keyto get the biggest key. Yes 521 not 512. Commented Mar 14, 2020 at 22:17 -
I've updated the answer. Using larger keys is not free. You are usually better off rolling keys over periodically rather than simply picking the largest size possible and paying the computation costs since, even a 2048bit RSA key is best attacked by trying to obtain it rather than trying to factorise it.– OliproCommented Jan 14, 2021 at 9:25
-
Best answer for repairing remote server like centos 6x via anaconda Commented Apr 14, 2021 at 14:14
-
If you are using RHEL, CentOS or Fedora, then you can simply delete them and restart the SSHd service. They will be regenerated.
-
3No, it doesn't work.
/etc/init.d/ssh restart<newline> Could not load host key: /etc/ssh/ssh_host_rsa_key<newline> Could not load host key: /etc/ssh/ssh_host_dsa_key<newline> [....] Restarting OpenBSD Secure Shell server: sshdCould not load host key: /etc/ssh/ssh_host_rsa_key<newline> Could not load host key: /etc/ssh/ssh_host_dsa_keyCommented Jan 22, 2013 at 10:34 -
1
-
Good advice, thanks. It worked for me on CentOS installation. Commented Apr 25, 2016 at 20:17
-
-
FYI, this approach works on Alpine Linux v 3.13.2 What I did was
rm /etc/ssh/ssh_host_*thenreboot. I bet you could just bounce the ssh service, but I didn't try that.– GrangerCommented Feb 24, 2021 at 23:12
Debian 10.7 user here. Mixing the two best answer was the cleanest way to solde the problem :
( As root or sudo it yourself )
server A.B.C.D : Mooving old keys in a "backup" folder
mkdir -p ~/ssh_backup && mv /etc/ssh/ssh_host_* ~/ssh_backup/.server A.B.C.D : Generate new keys :
ssh-keygen -ACLIENT SIDE : forger about the previous key for server A.B.C.D
ssh-keygen -R A.B.C.D
Here you go, the fresh ssh keys can be used.
On AWS Linux & thus likely other Red Hat derivatives, the result from restarting sshd and using ssh-keygen -A are not the same.
You get different keys and different group ownership. Restarting sshd with the keys deleted gives the same outcome as the initial installation.
Initial conditions:
ls -l /etc/ssh/ssh_host_*
-rw-r-----. 1 root ssh_keys 227 Dec 7 2017 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r--. 1 root root 162 Dec 7 2017 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys 387 Dec 7 2017 /etc/ssh/ssh_host_ed25519_key
-rw-r--r--. 1 root root 82 Dec 7 2017 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 1679 Dec 7 2017 /etc/ssh/ssh_host_rsa_key
-rw-r--r--. 1 root root 382 Dec 7 2017 /etc/ssh/ssh_host_rsa_key.pub
Use ssh-keygen -A to create the host keys:
rm /etc/ssh/ssh_host_*
ssh-keygen -A
-rw-------. 1 root root 668 Oct 25 13:30 /etc/ssh/ssh_host_dsa_key
-rw-r--r--. 1 root root 628 Oct 25 13:30 /etc/ssh/ssh_host_dsa_key.pub
-rw-------. 1 root root 227 Oct 25 13:30 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r--. 1 root root 200 Oct 25 13:30 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-------. 1 root root 444 Oct 25 13:30 /etc/ssh/ssh_host_ed25519_key
-rw-r--r--. 1 root root 120 Oct 25 13:30 /etc/ssh/ssh_host_ed25519_key.pub
-rw-------. 1 root root 1003 Oct 25 13:30 /etc/ssh/ssh_host_key
-rw-r--r--. 1 root root 668 Oct 25 13:30 /etc/ssh/ssh_host_key.pub
-rw-------. 1 root root 1679 Oct 25 13:30 /etc/ssh/ssh_host_rsa_key
-rw-r--r--. 1 root root 420 Oct 25 13:30 /etc/ssh/ssh_host_rsa_key.pub
Let sshd generate the missing host keys:
rm /etc/ssh/ssh_host_*
systemctl restart sshd
-rw-r-----. 1 root ssh_keys 227 Oct 25 13:31 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r--. 1 root root 162 Oct 25 13:31 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys 387 Oct 25 13:31 /etc/ssh/ssh_host_ed25519_key
-rw-r--r--. 1 root root 82 Oct 25 13:31 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 1675 Oct 25 13:31 /etc/ssh/ssh_host_rsa_key
-rw-r--r--. 1 root root 382 Oct 25 13:31 /etc/ssh/ssh_host_rsa_key.pub
Script (in case restarting the sshd daemon does not automatically regenerate the keys)
#!/bin/bash
# Regenerate SSHD key materials, restart sshd if "-r" passed on command line
set -o nounset
WHERE=/etc/ssh
# go to directory
pushd $WHERE >/dev/null
if [[ $? != 0 ]]; then
echo "Could not cd to $WHERE -- exiting" >&2
exit 1
fi
# create backup folder
NOW=`date '+%Y%m%d.%H%M%S'` # default NOW string
BAKDIR=bak_$NOW
mkdir $BAKDIR
if [[ $? != 0 ]]; then
echo "Could not mkdir $BAKDIR -- exiting" >&2
exit 1
fi
# move existing key material to backup folder
mv ssh_host_* $BAKDIR
if [[ $? != 0 ]]; then
echo "Could not move old files to $BAKDIR -- exiting" >&2
exit 1
fi
# generate new keys
ssh-keygen -A
if [[ $? != 0 ]]; then
echo "Could not recreate keys -- exiting" >&2
exit 1
fi
# ssh-keygen may create DSA keys but:
# "Never use DSA or ECDSA"
# https://security.stackexchange.com/a/46781/25661
/bin/rm -f *_dsa_key *_dsa_key.pub
/bin/rm -f *_ecdsa_key *_ecdsa_key.pub
# on Fedora, one has to tune permissions a bit
chmod 640 *_key
chgrp ssh_keys *_key
# make sure SELinux attributes are as they should be
restorecon -R $WHERE
# Done
echo "New key material"
ls -l *_key *_key.pub
# Do the risky thing
if [[ $1 == '-r' ]]; then
echo "Restarting SSH daemon"
systemctl restart sshd
fi
# go back to where you where
popd >/dev/null
answered Aug 12, 2016 at 8:43
I highly recommend using shred (or gshred on macOS/brew install coreutils).
sudo shred -u /etc/ssh/*_key /etc/ssh/*_key.pub
-
If you plan on replacing the host-keys using shred to safely delete the old keys is unnecessary. Only keys you don't intend to replace but only remove should be treated this way.– AndreasCommented Oct 16 at 11:29