- Debian Generate New Ssh Host Keys 2016
- Debian Generate New Ssh Host Keys Windows 7
- Linux Generate Ssh Host Keys
- Linux Generate New Ssh Host Key
How do you manage your SSH host keys?
When connecting to a new OpenSSH server for the first time you'll be prompted to accept its host key - but how do you know if it is valid? How do you manage SSH keys for multiple machines?
In Debian Security Advisory 1571 (New openssl packages fix predictable random number generator), the Debian Security Team disclosed a vulnerability in the openssl package that makes many cryptographic keys that are used for authentication (e.g. Through SSH) or signing (e.g. Web server certificates) potentially vulnerable. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users. This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is.
As part of the package installation the openssh, and openssh-server will generate 'host key' which is used when communicating with clients.
The first time you connect to a server you'll see a message similar to this:
This allows you to test that the key is valid, by showing you the a fingerprint (which is a hash of the full key) and prompting you to confirm its validity.
Once accepted this fingerprint will be stored in the file ~/.ssh/knownhosts either in plain text, or if you're running a recent version of OpenSSH it will be stored in a hashed format. (Set 'HashKnownHosts no' if you want to disable this behaviour - either in ~/.ssh/options or /etc/ssh/ssh_config.)
The real question now is how do you know whether the key is valid?
Some organisations store OpenSSH fingerprints online so that you may compare what is presented with what is expected, others assume that 99% of people will merely type 'yes' when prompted to accept a key - which is pretty dangerous thing to do.
In the same way that details are stored in ~/.ssh/known_hosts, once accepted, the OpenSSH client program may be configured to read a system-wide list of keys and hostnames.
By default the Debian packages are configured to look at the file /etc/ssh/ssh_known_hosts if it exists.
If you were to build up a list of fingerprints used within your LAN, using the ssh-keyscan command in this file then all your users would avoid prompts connecting to your internal hosts.
As a simple example you could run something like this:
(Note the use of both 'short' and 'long' hostnames here; since the machine names must match exactly what the user typed to connect we add both versions. However the users will still be prompted to accept a key if they connect by IP address.)
Debian Generate New Ssh Host Keys 2016
If you're using a recent version of OpenSSH then it can be configured to check fingerprints against records stored in DNS. This is obviously only an option if you're running your own nameserver, but with the correct options you can see something like this:
Debian Generate New Ssh Host Keys Windows 7
Here you've not been told that the key is valid and trusted, but you've been told that does match what the DNS server-admin has inserted. By contrast a missing key would look like this:
Linux Generate Ssh Host Keys
Adding the keys to DNS in the first place is a little outside the scope of this introduction/question but you can use software such as sshfp to do the job.
Now that the simple introduction is out of the way here come the questions:
Linux Generate New Ssh Host Key
- How do you manage your SSH fingerprints?
- Blindly assume that all users will type yes and ignore it?
- Centralised lists?
- DNS records?
- Something else?