This is an unusual topic since most distribution create these keys for you during the installation of the OpenSSH server package. But it may be useful to be able generate new server keys from time to time, this happen to me when I duplicate Virtual Private Server which contains an installed ssh package.
How to regenerate new ssh server keys This is an unusual topic since most distribution create these keys for you during the installation of the OpenSSH server package. But it may be useful to be able generate new server keys from time to time, this happen to me when I duplicate Virtual Private Server which contains an installed ssh package.
. Normally this happens when SSH keys don’t get generated on the startup. If your system is compromised and your keys are stolen and you want to generate new keys. There could be some other reasons also but if you are reading this article then i believe you already have some reason with you. SSH is a service which most of system administrators use for remote administration of servers. When you install a fresh system, then at the start of the ssh service, it generates the host keys for your system which later on used for authentication. But if due to some reason you need to generate the host keys, then the process is explained below. Sep 21, 2011 Generating an SSH keypair. Now you should generate an SSH keypair for each computer that should connect to the server. If that computer runs on Linux, BSD or Mac OS X you can do that directly from that computer. Otherwise you need to generate it using 3rd party tools or on a different Linux box and then move the keys to the specific computer afterwards. The problem 1.0 I'm working on a server that only supports two-factor auth (keypair auth is disabled). So every time my SFTP client wants to upload a file, it asks me for a token. After 3 minute. And then I deleted the sshhostrsakey.pub. That didn't work. I rebuilt the host keys, undid the configuration change, left my generated public key in the home directory, and moved the generated private key to the client. The connection works great, and the fingerprint OS X (my client) prompts me with matches the sshhostrsakey.pub.
OpenSSH require different keys depending if you use SSH1 and/or SSH2 protocol. All keys are generated by ssh-keygen, that one should be available on your system with the ssh package. The receipt is almost the same as for generating your own keys, except that you should use an empty passphrase. Default key lengths are also appropriate (2048 bits for rsa and 1024 bits for dsa)
For SSH1 protocol, you need a rsa1 key generated has follow:
For SSH2 protocol, you need two keys, one RSA key and one DSA key generated has follow:
Since January 2011, OpenSSH also support ECDSA key, you may generate a new one using:
OpenSSH 6.5 added support for Ed25519 as a public key type. It is using an elliptic curve signature scheme, which offers better security than ECDSA and DSA. At the same time, it also has good performance. This type of keys may be used for user and host keys. With this in mind, it is great to be used together with OpenSSH. In this article, we have a look at this new key type.
Many forum threads have been created regarding the choice between DSA or RSA. DSA is being limited to 1024 bits, as specified by FIPS 186-2. This is also the default length of ssh-keygen. While the length can be increased, it may not be compatible with all clients. So it is common to see RSA keys, which are often also used for signing. With Ed25519 now available, the usage of both will slowly decrease.
The first thing to check is if your current OpenSSH package is up-to-date. You will need at least version 6.5 of OpenSSH.
Next step is changing the sshd_config file. Add the new host key type:
HostKey /etc/ssh/ssh_host_ed25519_key /one-time-pad-key-generator.html.
Remove any of the other HostKey settings that are defined.
After configuring the server, it is time to do the client. We have to create a new key first. Make sure that your ssh-keygen is also up-to-date, to support the new key type. Note: the tilde (~) is an alias for your home directory and expanded by your shell.
Optional step: Check the key before copying it.
ssh-keygen -l -f ~/.ssh/id_ed25519
If that looks good, copy it to the destination host.
ssh-copy-id -i ~/.ssh/id_ed25519.pub michael@192.168.1.251
Then determine if we can log in with it.
$ ssh -i ~/.ssh/id_ed25519 michael@192.168.1.251 Enter passphrase for key ‘~/.ssh/id_ed25519’:
When using this newer type of key, you can configure to use it in your local SSH configuration file (~/.ssh/config). Defining the key file is done with the IdentityFile option.
Host [name]
HostName [hostname]
User [your-username]
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yes
Normally you can use the -o option to save SSH private keys using the new OpenSSH format. It uses bcrypt/pbkdf2 to hash the private key, which makes it more resilient against brute-force attempts to crack the password. Only newer versions (OpenSSH 6.5+) support it though. For this key type, the -o option is implied and does not have to be provided. Also, a bit size is not needed, as it is always 256 bits for this key type.
Are you already using the new key type? Or other tips for our readers? Leave a comment.