[Contents] [Index]

About This Document>>     Introduction to SSH Secure Shell >>     Configuring SSH Secure Shell >>         Basic Configuration>>             Default Locations of Secure Shell Files             Generating the Host Key             Ciphers and MACs             Compression             Configuring Root Logins             Restricting User Logins         Subconfigurations >>         Configuring SSH Secure Shell for TCP Wrappers Support>>         Configuring SSH2 for SSH1 Compatibility         Forwarding>>     Authentication >>     Log Messages >>     Using SSH Secure Shell >>     Tool Syntax>>     Technical Specifications >>

Generating the Host Key

Host keys are generated during the installation of SSH Secure Shell. You only need to regenerate them if you want to change your host key, or if your host key was not generated during the installation.

To generate the host key, perform the following tasks:

1. Login as root.
2. Kill the sshd2 daemon listening to port 22:

   kill 'cat /var/run/sshd2_22.pid' 
   

   If the directory /var/run does not exist, sshd2_22.pid is in directory /etc/ssh2/.
3. Generate the host key with the following command:

   ssh-keygen2 -P /etc/ssh2/hostkey
   

   Note: This will generate a DSA 2048-bit host key pair (without a passphrase). For more information on the key generation options, see the ssh-keygen2 man page.
4. Restart sshd2:

    /usr/local/sbin/sshd2 
   

Note: Administrators that have other users connecting to their sshd2 daemon should notify the users of the host-key change. If you do not, the users will receive a warning the next time they connect, because the host key the users have saved on their disk for your server does not match the host key now being provided by your sshd2 daemon. The users may not know how to respond to this error. You can run the following to generate a fingerprint for your new public host key which you can provide to your users via some unalterable method (such as digitally signed email):

ssh-keygen2 -F hostkey.pub

When the users connect and receive the error message about the host key having changed, they can compare the fingerprint of the new key with the fingerprint you have provided in your email, and ensure that they are connecting to the correct sshd2 daemon. Inform your users to notify you if the fingerprints do not match, or if they receive a message about a host-key change and do not receive a corresponding message from you notifying them of the change.

This procedure can help ensure that you do not become a victim of a man-in-the-middle attack, as your users will notify you if the host-key fingerprints do not match. You will also be aware if the users encounter host-key change messages when you have not regenerated your host key pair.

It is also possible to send the public host key to the users via an unalterable method. The users can save the key to the ~/.ssh2/hostkeys directory as key_22_machinename.pub. In this case, manual fingerprint check is not needed.