I haven't seen much in the way of instructions on how to replace your server keys, though, so I figured I'd write up what I did to my Ubuntu machines.
Before we use any power tools, let's take a moment to talk about shop safety. There is a "sudo rm" command here that can affect your ability to log into the system if:
- you have other methods like PasswordAuthentication disabled in your /etc/ssh/sshd_config, and
- you lose your current session
Therefore:
- Do this from the console if possible so you can't saw off the branch you're standing on. (Even screen won't be much help if you lose your session in midstream)
- Read and be sure you understand each step of the process before attempting it.
- Remember this: there is no more important safety rule than to wear these — safety glasses.
Without further adieu, here's how I updated my server keys:
# update the package database
sudo apt-get update
# upgrade the system
sudo apt-get upgrade
# backup the existing ssh keys
cd /etc/ssh
sudo tar cvf badkeys.tar ssh_host_*
# remove the existing ssh keys
sudo rm /etc/ssh/ssh_host_*
# generate new keys
sudo ssh-keygen -t dsa
# hit "enter" at the passphrase prompt, then
# save the result in /etc/ssh/ssh_host_dsa_key
sudo ssh-keygen -t rsa
# hit "enter" at the passphrase prompt, then
# save the result in /etc/ssh/ssh_host_rsa_key
There's probably a GUI way to do this, but it's easy enough from the command line.
A few more things before you're done:
- Don't forget to regenerate your user keys with ssh-keygen before you're through
- You'll probably need to update your known_hosts file(s) on your ssh client machines to remove the old server key.
- You'll likely also have to update the authorized_keys file on any servers you access using the new keys.
ssh-keygen can help you with these tasks too. Check out the man page.
No comments:
Post a Comment