月下博客

重新生成服务端SSH密钥

好几台vps用同一个镜像生成,里面的软件配置都一样。省事的地方是可以用同一个ssh密钥直接登录,不安全的点则是SSH服务端共用密钥,万一某个vps出事了,其他也容易崩盘。安全起见,应该重新生成服务端密钥。

打开/etc/ssh/sshd_config,搜索”host”,发现有如下配置:

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

ssh 1协议基本淘汰了,重点是ssh 2协议配置的rsa和dsa两个密钥。先mv备份一下: mkdir sshbak && mv /etc/ssh/ssh_host* sshbak。然后重新重启ssh server: service sshd restart,输出如下:

Stopping sshd:                                   [  OK  ]
Generating SSH2 RSA host key:                    [  OK  ]
Generating SSH1 RSA host key:                    [  OK  ]
Generating SSH2 DSA host key:                    [  OK  ]
Starting sshd:                                   [  OK  ]

这说明在CentOS 6下,ssh服务器会检测host key是否存在,如果不存在则重新生成。

CentOS 7上应该禁用DSA密钥,其它配置建议参考 [cipherlist]:

Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

以上配置在CentOS 7上生效,CentOS 6由于open ssh版本过低(需要OpenSSH 6.6+, ssh -V可查看版本信息),将无法启动。

Ubuntu/Debian用户可参考:http://serverfault.com/questions/471327/how-to-change-a-ssh-host-key

参考

  1. http://serverfault.com/questions/471327/how-to-change-a-ssh-host-key
  2. http://www.kaijia.me/2015/09/regenerate-ssh-host-key-server-side/
  3. https://cipherli.st/
  4. https://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys