I am trying to recreate the ssh-server host keys.
I have at least two ways to do this:
-
With dpkg-reconfigure
dpkg-reconfigure openssh-server
This works fine, but I cannot give the key length then. I want for example 4096 for the RSA key.
-
Manually with ssh-keygen
sudo ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N 'myverylongpasswordhere' -b 4096 -t rsa
This recreates me the keys, but after restarting the server, I receive the following error message:
could not load host key: /etc/ssh/ssh_host_rsa_key
so I checked the sshd_config file whats in there:
HostKey /etc/ssh/ssh_host_rsa_key
matches perfectly. So, I checked the owner and rights to all my keys
-rw------- 1 root root 3326 Mär 24 08:57 ssh_host_rsa_key
When I remove all keys and recreate them with
dpkg-reconfigure openssh-server
, the keys are smaller and having the same file-rights like above.
Question: How can I use dpkg-reconfigure
with keylengh 4096 for RSA?
Best Answer
You create a hostkey with a password. Is there any customization to unlock that hostkey? If not, then I think that is what is to be expected: the script that manages the service starts up, tries to load the hostkey, and fails. As far as I know you shouldn't create hostkeys protected with passwords.
If you are interested in hardening your SSH server then I recommend reading https://stribika.github.io/2015/01/04/secure-secure-shell.html the command used to create the hostkey in that document is:
But you should read the entire document before making any changes.