Recipe 17.3. Generating New Host Keys
17.3.1 Problem
You
looked in /etc/ssh and didn't
see any key files: your Linux distribution did not generate host keys
when you installed
OpenSSH.
Or you just want to create new host keys yourself.
17.3.2 Solution
Use ssh-keygen to create a new key pair. This must be
done as root, and you have to specify the name of the new key pair.
You only need one key pair. Always specify a passphrase:
# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
6c:24:75:54:d3:21:17:c9:11:db:41:dd:95:3f:d0:ac root@windbag
This example uses the default key names, but you can call the keys
anything you like. If you use different names, be sure to enter them
in /etc/ssh/sshd_config:
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
Comment out or delete any entries for keys that do not exist.
17.3.3 Discussion
See this chapter's
"Introduction" for how to create a
strong passphrase.
Once you have OpenSSH set up and working and you have distributed
public keys, you don't want to change your
private keys
without a really good reason, because you'll have to
distribute new public keys. If users try to connect with the old
public key, they will get this message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the host key has just been changed.
Please contact your system administrator.
Add correct host key in <path>/known_hosts to get rid of this message.
Agent forwarding is disabled to avoid attacks by corrupted servers.
X11 forwarding is disabled to avoid attacks by corrupted servers.
Are you sure you want to continue connecting (yes/no)
It's a good idea to train your users to say
no at the prompt, and to contact you to see what
is going on.
17.3.4 See Also
| 
