Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Host keys after cloning

from [Leif Ericksen] Network Security [Permanent Link]
Subject: Re: Host keys after cloning
Date: Fri, 27 Aug 2004 08:58:08 -0500
In a word yes that is insecure having all hosts with an identical key. You do not know who is who so to speak. See the man of ssh-keygen

This cut and paste...

Normally each user wishing to use SSH with RSA or DSA authentication
runs this once to create the authentication key in $HOME/.ssh/identity,
$HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa.  Additionally, the system
admin-istrator may use this to generate host keys, as seen in /etc/rc.

Normally this program generates the key and asks for a file in
which to store the private key. The public key is stored in a file with the same name but ``.pub'' appended. The program also asks for a
passphrase. The passphrase may be empty to indicate no passphrase (host keys must have an empty passphrase), or it may be a string of arbitrary length. A passphrase is similar to a password, except it can be a phrase with a series of words, punctuation, numbers, whitespace, or any string of characters you want. Good passphrases are 10-30 characters long, are not simple sentences or otherwise easily guessable (English prose has only 1-2 bits of entropy per character, and provides very bad
passphrases), and contain a mix of upper and lowercase letters, numbers, and non-alphanumeric characters. The passphrase can be changed later by
using the -p option.

See also this Linux /etc/init.d/sshd startup script snip:

do_rsa1_keygen() {
                echo -n $"Generating SSH1 RSA host key: "
                        success $"RSA1 key generation"
                        failure $"RSA1 key generation"
do_rsa_keygen() {
                echo -n $"Generating SSH2 RSA host key: "
                        success $"RSA key generation"
                        failure $"RSA key generation"
do_dsa_keygen() {
                echo -n $"Generating SSH2 DSA host key: "
                        success $"DSA key generation"
                        failure $"DSA key generation"
                failure $"Configuration file or keys are invalid"
        # Create keys if necessary
        do_rsa1_keygen
        do_rsa_keygen
        do_dsa_keygen


Do as you wish, they aer your servers. I want mine to each have their own key. I am sure there can be arguments for why you would want the same key on multiple servers.


--Leif

Ugo Bellavance wrote: 
Hi,

I just cloned a server to save install time, but now I realize that the ssh host key is the same for every server. That makes sense since I cloned them, but I was wondering if that was insecure, and how to regenerate them.

Thanks,

Ugo



[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Host keys after cloning, Greg Wooledge
Next by Date:  Need help with an ssh connection, joseph . eoff
Previous by Thread:  Re: Host keys after cloning, Greg Wooledge
Next by Thread:  Re: Host keys after cloning, Marius Huse Jacobsen
Indexes:  [Date] [Thread] [Top] [All Lists]