wave
rectangle square backgroundrectangle square backgroundrectangle square backgroundrectangle square backgroundrectangle square backgroundrectangle square backgroundEngineering

Avoid Duplicate SSH Host Keys

authorDigitalOcean
Posted: July 25, 20132 min read

The ssh daemon uses host keys to uniquely identify itself to connecting clients.  The host keys are typically stored in /etc/ssh. Security best practices dictate that these host keys be unique for each operating system instance.  DigitalOcean typically removes host keys when creating a new Droplet from a snapshot or a standard image.

The SSH host keys for some Ubuntu-based systems could have been duplicated by DigitalOcean’s snapshot and creation process.  Therefore, our system is now configured to remove the host keys on Droplets that are created from snapshots at the time of the first boot.  This removal process only happens in situations where we have a high degree of confidence that the host-keys will be regenerated on boot.

Most Linux distributions will generate new host keys at boot time if host keys are not found.  However, some images may not do this due to local customization. This can be resolved in the majority of cases simply by logging in to the virtual terminal on the Droplet control panel, adding the following line to /etc/rc.local:

test -f /etc/ssh/ssh_host_dsa_key || dpkg-reconfigure openssh-server

and rebooting the affected Droplet.

DigitalOcean also recommends that users of existing Ubuntu-based Droplets and snapshots regenerate their SSH host keys. To do this, ensure that the above test or an equivalent is in place, remove the host keys, and generate new ones following the procedure below.

Step 1: remove potentially duplicated host key.

rm /etc/ssh/ssh_host_*

Step 2: regenerate host keys.

/usr/sbin/dpkg-reconfigure openssh-server

For snapshots, please create a Droplet from the snapshot, apply the above changes, and create a new snapshot from that Droplet.  Then, after making sure your snapshot is functional by spinning up a new Droplet, you can delete the old snapshot and the new Droplet.

UPDATE: Sometimes using the dpkg-reconfigure script throws an error instead of generating new keys. Should this happen to you, please run the following commands to manually generate keys:

ssh-keygen -t dsa -N “” -f /etc/ssh/ssh*host*dsa*key
ssh-keygen -t rsa -N “” -f /etc/ssh/ssh*host*rsa*key
ssh-keygen -t ecdsa -N “” -f /etc/ssh/ssh*host*ecdsa_key

Share

You've got unique business needs. We've got powerful solutions to meet them. Chat with us to get started.Contact sales

Related Articles

DigitalOcean's journey to Python Client generation
engineering

DigitalOcean's journey to Python Client generation

Dana Elhertani

January 26, 20233 min read

How DigitalOcean uses Let’s Encrypt
engineering

How DigitalOcean uses Let’s Encrypt

Anit Gandhi

November 28, 20223 min read

Inside DigitalOcean's Reserved IP Rails migration
engineering

Inside DigitalOcean's Reserved IP Rails migration

Julius Zerwick

September 6, 20223 min read

Get started for free

Enter your email to get $200 in credit for your first 60 days with DigitalOcean.

New accounts only. By submitting your email you agree to our Privacy Policy.

© 2023 DigitalOcean, LLC.
Get started for free

Enter your email to get $200 in credit for your first 60 days with DigitalOcean.

New accounts only. By submitting your email you agree to our Privacy Policy.