Skip to main content
Welcome guest. | Register | Login | Post

Updating RSA keys and known_hosts (in the wake of the recent Debian vulnerability)

4 replies [Last post]
libervisco's picture
Joined: 2006-05-04

My first word of this was from Gustavo, and I later read more about it on computerworld. Apparently, all SSL and SSH keys generated between September 17th 2006 and May 13th 2008 are due to a bug discovered on May 13 vulnerable to brute force attacks.

My server, which I call "libernode", but is actually the main server of Libervis Network (and soon to host both and runs Debian and the latest update fixed the hole and forced regeneration of all keys (at least I think so, but I'll have to check again with the supplied ssh-vulnkey. Luckily we only have few SSH users, most of which are Nuxified members. Smiling

I wanted to send an email notification about this, just in case anyone wants to connect, but couldn't (faced with the "remote host identification has changed" warning), however I'm not sure what to recommend as a way to update the .ssh/known_hosts file. I personally don't mind just deleting it and then answering "yes" again to SSH prompts, but there might be a better way to recommend to others.. I looked around a bit, but couldn't find it.. they just usually say to update it..

And manually editing the file is scary.. it only contains long strings of numbers and letters so it's not easy to know which key is for what server.


Gustavo's picture
Joined: 2006-09-11
Hi, Danijel!Here's the

Hi, Danijel!

Here's the summary:

On your Debian server:

# upgrade
sudo aptitude update
sudo aptitude dist-upgrade

# check the fingerprint of the new key:
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key

# restart
sudo shutdown -r now

Now remove your server's previous pub key (which is the doubt you had):

# on your computer...
ssh-keygen -R

On your computer:

# upgrade your computer:
sudo aptitude update
sudo aptitude upgrade

# create  a new RSA key; store it at, say, /home/you/.ssh/safe_id_rsa
ssh-keygen -t rsa

# updating your public key on your server (replace by your IP or host name)
scp .ssh/

# backup previous keys:
cd ~/.ssh
mv id_rsa id_rsa.old

# using the newly created, safe keys:
mv safe_id_rsa id_rsa

Now, try accessing your server again. You will get two warnings, which should be accepted if and only if the fingerprint matches the one in the output of 'ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key'.


libervisco's picture
Joined: 2006-05-04
Thanks Gustavo. It does

Thanks Gustavo. It does help, although my original intention wasn't to change the way I authenticate to my server, but rather to just see if there's a better way for other SSH users to remove the old server key from their known_hosts file now that the updated changed them.

So the command to do that is ssh-keygen -R and I just need to tell them to replace with or whatever other hostname they saved the given IP as. I suppose even a full IP address would work here? Some might be accessing it with an IP directly, through "" or by an alias (like I use at home: @libernod where libernod is in /etc/hosts mapped to my server IP).

I did go through your steps anyway so I have password-less login.

Though I still wonder why is that any more secure, to be honest? I mean, generally, now anyone with access to my computer while it is on can just pop into my server with no question. I think even if someone was to in some odd circumstances hack into my desktop home user he could now also gain access to my server as well, right? Isn't it better to have a password in my head instead of a key on my computer, as being required to access? I guess both is best, but somehow, when choosing between the two, unless I'm missing something, password seems better.

But I'm obviously not an expert on this. Smiling

Thank you

Joined: 2006-03-28
The server-key is stored

The server-key is stored together with either the hostname or the IP. Thus it is possible to just delete the corresponding line from ~/.ssh/known_hosts.
I've done that a few times without any problems.

libervisco's picture
Joined: 2006-05-04
I see. Well I sent the

I see.