Broken RSA Keys (part 2: fixing ssh keys)

As mentioned in a previous post, there are problems with people generating keys with insufficient entropy. This is particularly a problem for ssh, which generates the host ssh keys upon first boot, when there was probably insufficient entropy available.

If you’re generating ssh keys (ssh-keygen) you can solve the problem by using SSH_USE_STRONG_RNG as shown below. Note, in this command, it’s bytes. So 32 equals 256 bits.

To generate good SSH Keys (assuming redhat derivative linux):

sudo mkdir /etc/ssh/oldkeys
sudo mv /etc/ssh/*_key* /etc/ssh/oldkeys

export SSH_USE_STRONG_RNG=32
sudo ssh-keygen -q -C "" -N "" -t dsa -f /etc/ssh/ssh_host_dsa_key
sudo ssh-keygen -q -C "" -N "" -t rsa -f /etc/ssh/ssh_host_rsa_key
sudo ssh-keygen -q -C "" -N "" -t rsa1 -f /etc/ssh/ssh_host_key

sudo chmod 600 /etc/ssh/*_key
sudo chmod 644 /etc/ssh/*_key.pub
sudo chown root:root /etc/ssh/*key*

sudo service sshd restart

Please also see:
Broken RSA Keys (part1: the problem)
and
Broken RSA Keys (part 3: openssl)

Comments are closed.