Thursday, May 15, 2008

Updating your ssh server keys in Ubuntu

In case you hadn't seen it yet, if you're running Debian or any of its derivatives (Ubuntu included), you need to update your OpenSSL packages and regenerate all your SSH keys (server keys too) and x.509 certificates ASAP. There is a good chance that they have all got predictable key material. The Debian Advisory has more details. Also see the VulSearch results for more.

I haven't seen much in the way of instructions on how to replace your server keys, though, so I figured I'd write up what I did to my Ubuntu machines.

Before we use any power tools, let's take a moment to talk about shop safety. There is a "sudo rm" command here that can affect your ability to log into the system if:

  1. you have other methods like PasswordAuthentication disabled in your /etc/ssh/sshd_config, and

  2. you lose your current session


  • Do this from the console if possible so you can't saw off the branch you're standing on. (Even screen won't be much help if you lose your session in midstream)

  • Read and be sure you understand each step of the process before attempting it.

  • Remember this: there is no more important safety rule than to wear these — safety glasses.

Without further adieu, here's how I updated my server keys:

# update the package database
sudo apt-get update

# upgrade the system
sudo apt-get upgrade

# backup the existing ssh keys
cd /etc/ssh
sudo tar cvf badkeys.tar ssh_host_*

# remove the existing ssh keys
sudo rm /etc/ssh/ssh_host_*

# generate new keys
sudo ssh-keygen -t dsa
# hit "enter" at the passphrase prompt, then
# save the result in /etc/ssh/ssh_host_dsa_key

sudo ssh-keygen -t rsa
# hit "enter" at the passphrase prompt, then
# save the result in /etc/ssh/ssh_host_rsa_key

There's probably a GUI way to do this, but it's easy enough from the command line.

A few more things before you're done:

  • Don't forget to regenerate your user keys with ssh-keygen before you're through

  • You'll probably need to update your known_hosts file(s) on your ssh client machines to remove the old server key.

  • You'll likely also have to update the authorized_keys file on any servers you access using the new keys.

ssh-keygen can help you with these tasks too. Check out the man page.

No comments: