[Discuss] The RSA Keying links
Edward Ned Harvey
blu at nedharvey.com
Thu Feb 16 10:58:19 EST 2012
As soon as anyone knows the answer to this question, please let us know:
Clearly, sometime after installing your OS, after the OS has gained entropy,
you should generate new server ssh keys. (And re-generate any SSL/TLS keys
that you may have previously created using openssl without sufficient
entropy.) The question is, how do you know when your server has gained some
entropy?
Assuming your machine has been on a long time, it should have gained entropy
from hard drive seek times and ethernet behavior by now. Be aware of the
difference between /dev/random and /dev/urandom. Generate yourselves some
ssh keys:
sudo mkdir /etc/ssh/oldkeys
sudo mv /etc/ssh/*_key* /etc/ssh/oldkeys
sudo ssh-keygen -q -C "" -N "" -t dsa -f /etc/ssh/ssh_host_dsa_key
sudo ssh-keygen -q -C "" -N "" -t rsa -f /etc/ssh/ssh_host_rsa_key
sudo ssh-keygen -q -C "" -N "" -t rsa1 -f /etc/ssh/ssh_host_key
sudo chmod 600 /etc/ssh/*_key
sudo chmod 644 /etc/ssh/*_key.pub
sudo chown root:root /etc/ssh/*key*
sudo service sshd restart
More information about the Discuss
mailing list