How to change a SSH host key?

Question

I cloned a server and so they've the same RSA key fingerprint.

It seems to be defined in /etc/ssh/ssh_host_rsa_key.pub.

What is the correct way to change that?

Thanks.

Answer 1

Or, remove keys and

ssh-keygen -A

Explanation:

-A: For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This is used by /etc/rc to generate new host keys.

Answer 2

Follow these steps to regenerate OpenSSH Host Keys

1. Delete old ssh host keys: rm /etc/ssh/ssh_host_*
2. Reconfigure OpenSSH Server: dpkg-reconfigure openssh-server
3. Update all ssh client(s) ~/.ssh/known_hosts files

Reference

Answer 3

For a generic method of doing this:

ssh-keygen -q -N "" -t dsa -f /etc/ssh/ssh_host_dsa_key

ssh-keygen -q -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key

ssh-keygen -q -N "" -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key

ssh-keygen -q -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key

mix and match according to the keys your version of OpenSSH supports. Current implementations commonly generate only rsa, ecdsa & ed25519.

Do note that that the -b argument can be used in (most) cases to specify key size.

You should pick a key-size appropriate for the intended lifetime of the key and the amount of time you find acceptable to open a connection as the impact will be more pronounced on slower hardware. For example, using the default RSA key size (2048 at the time of writing) is absolutely fine (again, as of the time of writing) if you're rolling the key over periodically.

Answer 4

If you are using RHEL, CentOS or Fedora, then you can simply delete them and restart the SSHd service. They will be regenerated.

Answer 5

Debian 10.7 user here. Mixing the two best answer was the cleanest way to solde the problem :

( As root or sudo it yourself )

• server A.B.C.D : Mooving old keys in a "backup" folder

  mkdir -p ~/ssh_backup && mv /etc/ssh/ssh_host_* ~/ssh_backup/.

• server A.B.C.D : Generate new keys :

  ssh-keygen -A

• CLIENT SIDE : forger about the previous key for server A.B.C.D

  ssh-keygen -R A.B.C.D

Here you go, the fresh ssh keys can be used.

--- Edit : onliner to simply remove & regen sshd key server side

rm /etc/ssh/ssh_host_* && ssh-keygen -A

Answer 6

On AWS Linux & thus likely other Red Hat derivatives, the result from restarting sshd and using ssh-keygen -A are not the same.

You get different keys and different group ownership. Restarting sshd with the keys deleted gives the same outcome as the initial installation.

Initial conditions:

ls -l /etc/ssh/ssh_host_*   
-rw-r-----. 1 root ssh_keys  227 Dec  7  2017 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r--. 1 root root      162 Dec  7  2017 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys  387 Dec  7  2017 /etc/ssh/ssh_host_ed25519_key
-rw-r--r--. 1 root root       82 Dec  7  2017 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 1679 Dec  7  2017 /etc/ssh/ssh_host_rsa_key
-rw-r--r--. 1 root root      382 Dec  7  2017 /etc/ssh/ssh_host_rsa_key.pub

Use ssh-keygen -A to create the host keys:

rm /etc/ssh/ssh_host_*
ssh-keygen -A
-rw-------. 1 root root  668 Oct 25 13:30 /etc/ssh/ssh_host_dsa_key
-rw-r--r--. 1 root root  628 Oct 25 13:30 /etc/ssh/ssh_host_dsa_key.pub
-rw-------. 1 root root  227 Oct 25 13:30 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r--. 1 root root  200 Oct 25 13:30 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-------. 1 root root  444 Oct 25 13:30 /etc/ssh/ssh_host_ed25519_key
-rw-r--r--. 1 root root  120 Oct 25 13:30 /etc/ssh/ssh_host_ed25519_key.pub
-rw-------. 1 root root 1003 Oct 25 13:30 /etc/ssh/ssh_host_key
-rw-r--r--. 1 root root  668 Oct 25 13:30 /etc/ssh/ssh_host_key.pub
-rw-------. 1 root root 1679 Oct 25 13:30 /etc/ssh/ssh_host_rsa_key
-rw-r--r--. 1 root root  420 Oct 25 13:30 /etc/ssh/ssh_host_rsa_key.pub

Let sshd generate the missing host keys:

rm /etc/ssh/ssh_host_*
systemctl restart sshd
-rw-r-----. 1 root ssh_keys  227 Oct 25 13:31 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r--. 1 root root      162 Oct 25 13:31 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys  387 Oct 25 13:31 /etc/ssh/ssh_host_ed25519_key
-rw-r--r--. 1 root root       82 Oct 25 13:31 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 1675 Oct 25 13:31 /etc/ssh/ssh_host_rsa_key
-rw-r--r--. 1 root root      382 Oct 25 13:31 /etc/ssh/ssh_host_rsa_key.pub

Answer 7

Script (in case restarting the sshd daemon does not automatically regenerate the keys)

#!/bin/bash
Regenerate SSHD key materials, restart sshd if "-r" passed on command line
set -o nounset
WHERE=/etc/ssh
go to directory
pushd $WHERE >/dev/null
if [[ $? != 0 ]]; then
   echo "Could not cd to $WHERE -- exiting" >&2
   exit 1
fi
create backup folder
NOW=date '+%Y%m%d.%H%M%S' # default NOW string
BAKDIR=bak_$NOW
mkdir $BAKDIR
if [[ $? != 0 ]]; then
   echo "Could not mkdir $BAKDIR -- exiting" >&2
   exit 1
fi
move existing key material to backup folder
mv ssh_host_* $BAKDIR
if [[ $? != 0 ]]; then
   echo "Could not move old files to $BAKDIR -- exiting" >&2
   exit 1
fi
generate new keys
ssh-keygen -A
if [[ $? != 0 ]]; then
   echo "Could not recreate keys -- exiting" >&2
   exit 1
fi
ssh-keygen may create DSA keys but:
"Never use DSA or ECDSA"
https://security.stackexchange.com/a/46781/25661
/bin/rm -f _dsa_key _dsa_key.pub
/bin/rm -f _ecdsa_key _ecdsa_key.pub
on Fedora, one has to tune permissions a bit
chmod 640 _key
chgrp ssh_keys _key
make sure SELinux attributes are as they should be
restorecon -R $WHERE
Done
echo "New key material"
ls -l _key _key.pub
Do the risky thing
if [[ $1 == '-r' ]]; then
   echo "Restarting SSH daemon"
   systemctl restart sshd
fi
go back to where you where
popd >/dev/null

Answer 8

I highly recommend using shred (or gshred on macOS/brew install coreutils).

sudo shred -u /etc/ssh/*_key /etc/ssh/*_key.pub