Ubuntu / Debian Linux Regenerate OpenSSH Host Keys

by on June 15, 2008 · 7 comments· LAST UPDATED April 11, 2014

in , ,

How do I regenerate OpenSSH sshd server host keys stored in /etc/ssh/ssh_host_* files? Can I safely regenerate ssh host keys using remote ssh session as my existing ssh connections shouldn't be interrupted on Debian or Ubuntu Linux?

Tutorial details
DifficultyIntermediate (rss)
Root privilegesYes
RequirementsNone
Estimated completion time2m
To regenerate keys you need to delete old files and reconfigure openssh-server. It is also safe to run following commands over remote ssh based session. Your existing session shouldn't be interrupted.

Step # 1: Delete old ssh host keys

Login as the root and type the following command to delete files on your SSHD server:
# /bin/rm -v /etc/ssh/ssh_host_*

Step # 2: Reconfigure OpenSSH Server

Now create a new set of keys on your SSHD server, enter:
# dpkg-reconfigure openssh-server
Sample output:

Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Restarting OpenBSD Secure Shell server: sshd.

Step # 3: Update all ssh client(s) known_hosts files

Finally, you need to update ~/.ssh/known_hosts files on client computers, otherwise everyone will see an error message that read as follows:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
f6:67:01:41:e6:20:06:4b:4b:fa:4b:c1:f1:45:45:e0.
Please contact your system administrator.
Add correct host key in /home/vivek/.ssh/known_hosts to get rid of this message.
Offending key in /home/vivek/.ssh/known_hosts:12
RSA host key for 202.54.xx.abc has changed and you have requested strict checking.
Host key verification failed.

Either remove host fingerprint or update the file using vi text editor:
$ ssh-keygen -R remote-server-name-here

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 7 comments… read them below or add one }

1 gkforcare October 14, 2008 at 10:04 am

Just what I needed! Thanks.

Reply

2 Dave February 14, 2009 at 9:57 pm

Very helpful. Excellent article. Thanks.

Reply

3 RobM March 2, 2009 at 12:04 pm

Just what I was looking for, thanks!

Reply

4 qas September 20, 2009 at 1:01 pm

Very helpful thanks a lot!

Reply

5 Oliver B November 19, 2011 at 4:17 am

Great post, thanks a lot!!!!!!

Reply

6 Very helpful September 4, 2012 at 10:08 pm

thx very helpful post

Reply

7 Victor Porton April 10, 2014 at 9:29 pm

At first I tried to update ~/.ssh/known_hosts on the server and this not worked.

Only later I realized that ~/.ssh/known_hosts is on my local Linux PC.

Please edit your post to make clear which files are on the server and which on the Linux PC.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: