How to roll over ssh host keys?

The Host Key rotation is supported since OpenSSH 6.8 (both client and server adds support in this version).

So the process should work like this:

  • Generate and add new keys with the option HostKey newkey (after the existing ones) to the /etc/ssh/sshd_config
  • Restart sshd
  • The clients have to set up UpdateHostKeys yes in their configuration (either globally, or per-host)
  • The connecting clients will pick up all the new keys
  • After some time (months?) you can remove the old keys from the sshd_config and restart sshd
  • The clients (that connected during the transition period) will already have the new keys (the old will not be removed, which is the only problem here) and they will not show the MitM attack warning.

The new enough-clients will be able to pick up the new keys. This feature is not enabled by default, probably because it is quite new and soon showed some security consideration. But these days, it should be fine to use it.

Tags:

Ssh

Openssh