How to generate host based ssh private keys if you accidentally delete them

 How to generate host based ssh private keys if you accidentally delete them

There are situations where you or your program may accidentally delete the ssh host keys present in directory /etc/ssh. /etc/ssh is the directory where private and public keys are present the algorithms that are used for key generations are RSA, DSA, ECDSA, Ed25519 and SHA1 (RSA deprecated).


How to generate host based ssh private keys if you accidentally delete them

Know Public Keys and Private Keys

The public and private keys will look some thing like this at directory /etc/ssh 

Private Key Filenames

ssh_host_ecdsa_key 
ssh_host_dsa_key 
ssh_host_ed25519_key 
ssh_host_rsa_key

Public Key Names

ssh_host_dsa_key.pub
ssh_host_ecdsa_key.pub
ssh_host_ed25519_key.pub
ssh_host_rsa_key.pub

So if you have accidentally deleted the private keys need to worry you can generate them immediately

Remove the public keys as they are useless if the private keys does not exist any more.

root@localhost:/etc/ssh# ls -l
total 604
-rw-r--r-- 1 root root 577325 Jan  9  2020 moduli
-rw-r--r-- 1 root root   1565 Jan  9  2020 ssh_config
-rw-r--r-- 1 root root   3235 Sep  5 06:32 sshd_config
-rw------- 1 root root   1381 Sep  5 07:09 ssh_host_dsa_key
-rw-r--r-- 1 root root    603 Sep  5 07:09 ssh_host_dsa_key.pub
-rw------- 1 root root    505 Sep  5 07:09 ssh_host_ecdsa_key
-rw-r--r-- 1 root root    175 Sep  5 07:09 ssh_host_ecdsa_key.pub
-rw------- 1 root root    399 Sep  5 07:09 ssh_host_ed25519_key
-rw-r--r-- 1 root root     95 Sep  5 07:09 ssh_host_ed25519_key.pub
-rw------- 1 root root   2602 Sep  5 07:09 ssh_host_rsa_key
-rw-r--r-- 1 root root    567 Sep  5 07:09 ssh_host_rsa_key.pub
root@localhost:/etc/ssh#
root@localhost:/etc/ssh# rm -rf *key
root@localhost:/etc/ssh# rm -rf *pub
root@localhost:/etc/ssh# ls -l
total 572
-rw-r--r-- 1 root root 577325 Jan  9  2020 moduli
-rw-r--r-- 1 root root   1565 Jan  9  2020 ssh_config
-rw-r--r-- 1 root root   3235 Sep  5 06:32 sshd_config
root@localhost:/etc/ssh#

Generate the new keys


root@localhost:/etc/ssh# /usr/bin/ssh-keygen -A
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
root@localhost:/etc/ssh#

Generate individual keys for each authentication algorithm


DSA
root@localhost:/etc/ssh# /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
Generating public/private dsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.

RSA
root@localhost:/etc/ssh# /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
Generating public/private rsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.

ECDSA
root@localhost:/etc/ssh# /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ""
Generating public/private ecdsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_ecdsa_key.
Your public key has been saved in /etc/ssh/ssh_host_ecdsa_key.pub.

ED25519
root@localhost:~# /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
Generating public/private ed25519 key pair.
Your identification has been saved in /etc/ssh/ssh_host_ed25519_key.
Your public key has been saved in /etc/ssh/ssh_host_ed25519_key.pub.
 

Copying the Public Key

Once the private and public key are generated, copy the public key on to your ssh client machine. To find out your ssh client machine type

Windows will store the ssh public keys in C:/User/<username>/.ssh/known_hosts
Linux and Unix will store ssh public keys in /home/<username>/.ssh/known_hosts

SSH / Putty will do its Job 

There is another option instead of copying the public key if you are aware its you who has changed the ssh server keys then remove the C:/User/<username>/.ssh/known_hosts or /home/<username>/.ssh/known_hosts file and start using the sh as usual.

If case of putty usage when logged in to ssh server it will display warning message as potential security breach the public key does not match the existing key. We can ignore this message and continue with the ssh service.


Post a Comment

0 Comments