Previous Section  < Day Day Up >  Next Section

Recipe 17.3. Generating New Host Keys

17.3.1 Problem

You looked in /etc/ssh and didn't see any key files: your Linux distribution did not generate host keys when you installed OpenSSH. Or you just want to create new host keys yourself.

17.3.2 Solution

Use ssh-keygen to create a new key pair. This must be done as root, and you have to specify the name of the new key pair. You only need one key pair. Always specify a passphrase:

# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

Generating public/private rsa key pair.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /etc/ssh/ssh_host_rsa_key.

Your public key has been saved in /etc/ssh/

The key fingerprint is:

6c:24:75:54:d3:21:17:c9:11:db:41:dd:95:3f:d0:ac root@windbag

This example uses the default key names, but you can call the keys anything you like. If you use different names, be sure to enter them in /etc/ssh/sshd_config:

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

Comment out or delete any entries for keys that do not exist.

17.3.3 Discussion

See this chapter's "Introduction" for how to create a strong passphrase.

Once you have OpenSSH set up and working and you have distributed public keys, you don't want to change your private keys without a really good reason, because you'll have to distribute new public keys. If users try to connect with the old public key, they will get this message:





Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the host key has just been changed.

Please contact your system administrator.

Add correct host key in <path>/known_hosts to get rid of this message.

Agent forwarding is disabled to avoid attacks by corrupted servers.

X11 forwarding is disabled to avoid attacks by corrupted servers.

Are you sure you want to continue connecting (yes/no)

It's a good idea to train your users to say no at the prompt, and to contact you to see what is going on.

17.3.4 See Also

  • ssh(1), ssh-keygen(1)

  • SSH, The Secure Shell: The Definitive Guide

    Previous Section  < Day Day Up >  Next Section