====== Avoid Duplicate SSH Host Keys ======


It was recently discovered that a cloud hosting company mistakenly add SSH Host Keys to their image. Best practices state that these host keys should be unique for each host. If host keys **//are//** reused, there is no way to prevent someone else or a different system with the same key from impersonating the host and potentially performing a Man-In-The-Middle attack. I also like to regenerate the host keys whenever I use a template or have to provide "root" or "sudo" access to support personnel. It also might be a good idea to regenerate the host keys every couple of years. This is the procedure that I use to do this:

<code bash>
sudo /bin/rm /etc/ssh/ssh_host_*
sudo ssh-keygen -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
sudo ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
sudo ssh-keygen -t ecdsa -N "" -v -b 521 -f /etc/ssh/ssh_host_ecdsa_key
</code>