Recipe 17.3. Generating New Host Keys

Previous page
Table of content
Next page
 < Day Day Up > 

17.3.1 Problem

You looked in /etc/ssh and didn't see any key files: your Linux distribution did not generate host keys when you installed OpenSSH. Or you just want to create new host keys yourself.

17.3.2 Solution

Use ssh-keygen to create a new key pair. This must be done as root, and you have to specify the name of the new key pair. You only need one key pair. Always specify a passphrase:

# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /etc/ssh/ssh_host_rsa_key. Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub. The key fingerprint is: 6c:24:75:54:d3:21:17:c9:11:db:41:dd:95:3f:d0:ac root@windbag

This example uses the default key names, but you can call the keys anything you like. If you use different names, be sure to enter them in /etc/ssh/sshd_config:

# HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key

Comment out or delete any entries for keys that do not exist.

17.3.3 Discussion

See this chapter's "Introduction" for how to create a strong passphrase.

Once you have OpenSSH set up and working and you have distributed public keys, you don't want to change your private keys without a really good reason, because you'll have to distribute new public keys. If users try to connect with the old public key, they will get this message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @    WARNING: HOST IDENTIFICATION HAS CHANGED!    @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the host key has just been changed. Please contact your system administrator. Add correct host key in <path>/known_hosts to get rid of this message. Agent forwarding is disabled to avoid attacks by corrupted servers. X11 forwarding is disabled to avoid attacks by corrupted servers. Are you sure you want to continue connecting (yes/no)

It's a good idea to train your users to say no at the prompt, and to contact you to see what is going on.

17.3.4 See Also

  • ssh(1), ssh-keygen(1)

  • SSH, The Secure Shell: The Definitive Guide

     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Linux Cookbook
    Linux Cookbook
    ISBN: 0596006403
    EAN: 2147483647
    Year: 2004
    Pages: 434
    Authors: Carla Schroder
    BUY ON AMAZON
    SQL Hacks
    Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
    Introducing Microsoft ASP.NET AJAX (Pro - Developer)
    Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
    Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
    Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy