SSH Server
Some tips and tricks when configuring a SSH Server.
Regenerate SSH Server Keys
Most Linux and Unix distribution create ssh keys for you during the installation of the OpenSSH server package. But it may be useful to be able re-generate new server keys from time to time. For example, when you duplicate VM (KVM or container) which contains an installed ssh package and you need to use different keys from cloned KVM VM guest/machine.
Step 1 – Delete old ssh host keys
Login as the root and type the following rm command to delete files on your SSHD server:
sudo /bin/rm -v /etc/ssh/ssh_host_*
removed '/etc/ssh/ssh_host_dsa_key'
removed '/etc/ssh/ssh_host_dsa_key.pub'
removed '/etc/ssh/ssh_host_ecdsa_key'
removed '/etc/ssh/ssh_host_ecdsa_key.pub'
removed '/etc/ssh/ssh_host_ed25519_key'
removed '/etc/ssh/ssh_host_ed25519_key.pub'
removed '/etc/ssh/ssh_host_rsa_key'
removed '/etc/ssh/ssh_host_rsa_key.pub'
Step 2 – Debian or Ubuntu Linux Regenerate OpenSSH Host Keys
Now create a new set of keys on your SSHD server, enter:
sudo dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
2048 SHA256:BLUkgjGdbcFX9wCsfOoIG4gtkdSeex4K/xcnsRo0qEA root@ubuntu-box1-clone (RSA)
Creating SSH2 DSA key; this may take some time ...
1024 SHA256:Ug9fJa14YMR9Fud/7bXTokffK/hM/sBVse10nSR/6Y8 root@ubuntu-box1-clone (DSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:Rh6izWEXkCV6HZLIpzlGQje178vhDgb77ItaZgpDsIQ root@ubuntu-box1-clone (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:UD4b7njwxWp1Q3wYf2R//udgPRzfGaeZ/6kE3VgZM+s root@ubuntu-box1-clone (ED25519)
systemctl
command:
sudo systemctl restart ssh
sudo /etc/init.d/ssh restart
Step 3 – Update all ssh client(s) known_hosts files
Finally, you need to update ~/.ssh/known_hosts
files on client computers, otherwise everyone will see an error message that read as follows:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
f6:67:01:41:e6:20:06:4b:4b:fa:4b:c1:f1:45:45:e0.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:12
RSA host key for 202.54.xx.abc has changed and you have requested strict checking.
Host key verification failed.
ssh-keygen -R remote-server-name-here
References
Dernière mise à jour:
3 October 2023