How to change a SSH host key?
Solution 1:
Or, remove keys and
ssh-keygen -A
Explanation:
-A
: For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This is used by /etc/rc to generate new host keys.
Solution 2:
Follow these steps to regenerate OpenSSH Host Keys
- Delete old ssh host keys:
rm /etc/ssh/ssh_host_*
- Reconfigure OpenSSH Server:
dpkg-reconfigure openssh-server
- Update all ssh client(s)
~/.ssh/known_hosts
files
Reference
Solution 3:
For a generic method of doing this:
ssh-keygen -q -N "" -t dsa -f /etc/ssh/ssh_host_dsa_key
ssh-keygen -q -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -q -N "" -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
ssh-keygen -q -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
mix and match according to the keys your version of OpenSSH supports. Current implementations commonly generate only rsa, ecdsa & ed25519.
Do note that that the -b
argument can be used in (most) cases to specify key size.
You should pick a key-size appropriate for the intended lifetime of the key and the amount of time you find acceptable to open a connection as the impact will be more pronounced on slower hardware. For example, using the default RSA key size (2048 at the time of writing) is absolutely fine (again, as of the time of writing) if you're rolling the key over periodically.
Solution 4:
If you are using RHEL, CentOS or Fedora, then you can simply delete them and restart the SSHd service. They will be regenerated.