I am trying to recreate the ssh-server host keys.
I have at least two ways to do this:
With dpkg-reconfigure
dpkg-reconfigure openssh-serverThis works fine, but I cannot give the key length then. I want for example 4096 for the RSA key.
Manually with ssh-keygen
sudo ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N 'myverylongpasswordhere' -b 4096 -t rsaThis recreates me the keys, but after restarting the server, I receive the following error message:
could not load host key: /etc/ssh/ssh_host_rsa_keyso I checked the sshd_config file whats in there:
HostKey /etc/ssh/ssh_host_rsa_keymatches perfectly. So, I checked the owner and rights to all my keys
-rw------- 1 root root 3326 Mär 24 08:57 ssh_host_rsa_keyWhen I remove all keys and recreate them with
dpkg-reconfigure openssh-server, the keys are smaller and having the same file-rights like above.
Question: How can I use dpkg-reconfigure with keylengh 4096 for RSA?
3 Answers
None of the answers above worked for me. I fixed my ubuntu system by doing the following:
/usr/bin/ssh-keygen -Asudo ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N 'myverylongpasswordhere' -b 4096 -t rsarecreates me the keys. but, after restarting the server, i recieve
could not load host key: /etc/ssh/ssh_host_rsa_key
You create a hostkey with a password. Is there any customization to unlock that hostkey? If not, then I think that is what is to be expected: the script that manages the service starts up, tries to load the hostkey, and fails. As far as I know you shouldn't create hostkeys protected with passwords.
If you are interested in hardening your SSH server then I recommend reading the command used to create the hostkey in that document is:
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_keyBut you should read the entire document before making any changes.
1Simply run:
ssh-keygen -t rsa -b 4096ssh-keygen generates an SSH key.
-tspecifies the type of key to create-bspecifies the number of bits in the key.
See this page for more information.
2
