Re-generating SSH Host Keys

To generate new hostkeys on the server, use ssh-keygen (included with the standard OpenSSH package) to perform the following commands for both SSH protocols (ultimately you must perform all three commands). Make sure that the -N is followed by two single quotation marks and that all three file names are different.
SSH1 protocol
For the SSH1 protocol you only require an RSA1 key:
ssh-keygen -f /etc/ssh/ssh_host_key -N '' -t rsa1
SSH2 protocol
For the SSH2 protocol you need two keys, for rsa and dsa:
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
The authenticity of host xxx can't be established
If you have logged via SSH in the past, after you regenerate the hostkeys for a new SSH connection you should get a message stating that the authenticity of the server cannot be established. This is true, because the server's fingerprint is stored in a local cache on your system:
On Linux this is stored in ~/.ssh/known_hosts
On Windows it is stored in the registry under HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys
Every time a connection is established, a comparison of the fingerprints (which look something like xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx (for rsa)) is made between the local database and the server you are contacting.
Removing the offending key


You can remove the locally saved cache for the server and re-establish the connection, in which case you will be prompted to save the fingerprint again. On a Linux terminal, you will see the following warning:
Offending key in /home/USER/.ssh/known_hosts:15
where /home/USER/.ssh/known_hosts is the file location and 15 is the line number. This enables you to use vi to jump directly to the right line so you can delete it:
vi /home/USER/.ssh/known_hosts +15
 
Note:  For production servers the  host keys may be in /usr/local/etc/

Post a Comment

Previous Post Next Post