How To: Ubuntu / Debian Linux Regenerate OpenSSH Host Keys

How do I regenerate OpenSSH sshd server host keys stored in /etc/ssh/ssh_host_* files? Can I safely regenerate ssh host keys using remote ssh session as my existing ssh connections shouldn’t be interrupted on Debian or Ubuntu Linux? How do I regenerate new ssh server keys? How to regenerate new host keys on a Debian or Ubuntu Linux?

Tutorial details
Difficulty level Intermediate
Root privileges Yes
Requirements None
Est. reading time 2m
[/donotprint]To regenerate keys you need to delete old files and reconfigure openssh-server. It is also safe to run following commands over remote ssh based session. Your existing session shouldn’t be interrupted.
How To: Ubuntu / Debian Linux Regenerate OpenSSH Host Keys

How to regenerate new ssh server keys

Why regenerate new ssh server keys?

Most Linux and Unix distribution create ssh keys for you during the installation of the OpenSSH server package. But it may be useful to be able re-generate new server keys from time to time. For example, when you duplicate VM (KVM or container) which contains an installed ssh package and you need to use different keys from cloned KVM VM guest/machine.

Steps to regenerate OpenSSH host keys on Linux

Let us see all steps

Step 1 – Delete old ssh host keys

Login as the root and type the following command to delete files on your SSHD server:
# /bin/rm -v /etc/ssh/ssh_host_*
Sample outputs:

removed '/etc/ssh/ssh_host_dsa_key'
removed '/etc/ssh/'
removed '/etc/ssh/ssh_host_ecdsa_key'
removed '/etc/ssh/'
removed '/etc/ssh/ssh_host_ed25519_key'
removed '/etc/ssh/'
removed '/etc/ssh/ssh_host_rsa_key'
removed '/etc/ssh/'

Step 2 – Debian or Ubuntu Linux Regenerate OpenSSH Host Keys

Now create a new set of keys on your SSHD server, enter:
# dpkg-reconfigure openssh-server
Sample output:

Creating SSH2 RSA key; this may take some time ...
2048 SHA256:BLUkgjGdbcFX9wCsfOoIG4gtkdSeex4K/xcnsRo0qEA root@ubuntu-box1-clone (RSA)
Creating SSH2 DSA key; this may take some time ...
1024 SHA256:Ug9fJa14YMR9Fud/7bXTokffK/hM/sBVse10nSR/6Y8 root@ubuntu-box1-clone (DSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:Rh6izWEXkCV6HZLIpzlGQje178vhDgb77ItaZgpDsIQ root@ubuntu-box1-clone (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:UD4b7njwxWp1Q3wYf2R//udgPRzfGaeZ/6kE3VgZM+s root@ubuntu-box1-clone (ED25519)

You just regenerated new ssh server keys. You need to restart ssh server:
$ sudo systemctl restart ssh
$ /etc/init.d/ssh restart

Step 3 – Update all ssh client(s) known_hosts files

Finally, you need to update ~/.ssh/known_hosts files on client computers, otherwise everyone will see an error message that read as follows:

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /home/vivek/.ssh/known_hosts to get rid of this message.
Offending key in /home/vivek/.ssh/known_hosts:12
RSA host key for has changed and you have requested strict checking.
Host key verification failed.

Either remove host fingerprint or update the file using vi text editor (command must be typed on client machine):
$ ssh-keygen -R remote-server-name-here
Now login using the ssh command:
$ ssh


You just regenerated OpenSSH Host Keys on a Debian or Ubuntu Linux using the dpkg-reconfigure command. For more info see the man page or this wiki page here:
$ man dpkg-reconfigure
$ man sshd

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 11 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
11 comments… add one
  • gkforcare Oct 14, 2008 @ 10:04

    Just what I needed! Thanks.

  • Dave Feb 14, 2009 @ 21:57

    Very helpful. Excellent article. Thanks.

  • RobM Mar 2, 2009 @ 12:04

    Just what I was looking for, thanks!

  • qas Sep 20, 2009 @ 13:01

    Very helpful thanks a lot!

  • Oliver B Nov 19, 2011 @ 4:17

    Great post, thanks a lot!!!!!!

  • Very helpful Sep 4, 2012 @ 22:08

    thx very helpful post

  • Victor Porton Apr 10, 2014 @ 21:29

    At first I tried to update ~/.ssh/known_hosts on the server and this not worked.

    Only later I realized that ~/.ssh/known_hosts is on my local Linux PC.

    Please edit your post to make clear which files are on the server and which on the Linux PC.

  • Clyde Oct 19, 2015 @ 9:42

    Still very useful after all these years. Thanks.

  • Luca Feb 15, 2017 @ 16:20

    Great article, right to the point, tested in Debian 8.7 and works like a charm

  • Shekar Feb 17, 2017 @ 8:53

    Can you share any links on how ssh works end to end, thanks

  • Thomas Sep 26, 2020 @ 7:02


    thanks for this article. I have one question. Why do you use dpkg-reconfigure openssh-server and not ssh-keygen -A?



Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum