Change from weak ssh host key to strong one

solaris_1977 · June 20, 2019, 3:33am

Hi,

I got instructions from Security audit team for Solaris-10 server. They mentioned - "The sshd configuration on the host supported weak host keys and allowed password authentication on Solaris server. Enable stronger keys (2048 or 4096 bit)".

I am not clear enough, what they mean by weak ssh host keys. If it is keys under .ssh directories of all home directories, I browsed and found that only two users have id_dsa.pub and id_dsa under their .ssh directory. Do I need to change something on this ?

Please suggest.

Thanks

Neo · June 20, 2019, 3:50am

You need to generate ssh key pairs which are longer in length.

Modern computers can "break" the crypto based on brute force (millions of attempts of various keys, for example.)

The longer the length of the key, the larger the key domain and hence the stronger the crypto.

You are being advised to generate new keys which are stronger cryptographically because the key lengths will be longer.

solaris_1977 · June 20, 2019, 3:56am

Both users (non-root) used to run "ssh-keygen -t dsa" to generate their keys for passwordless login to another node.
Do I need to ask them to delete their keys and create new one with "ssh-keygen -b 2048 -t rsa" or "ssh-keygen -b 4096 -t rsa" and share new keys to target server ?
Please correct me, if I am missing something.

Neo · June 20, 2019, 5:25am

Yes, when you replace keys you need to repeat the same process as when you first installed them.

Normally, you do not need to delete the old keys, as the system will take care of it.

I did this recently (between my MacPro and Linux servers) and simply generated new keys and then installed per the normal install process and all worked out fine.

On Solaris, I am guessing the process is similar, but I don't have any Solaris boxes to play with, sorry.

solaris_1977 · June 21, 2019, 1:11am

Thanks Neo

Neo · June 21, 2019, 1:30am

Welcome!

My pleasure to help you, even if just a little bit.

rbatte1 · July 8, 2019, 5:35am

Just came across this. One thing to be aware of is that all clients will object when you next try to connect them. They will alert on there being a possible man-in-the-middle attack or a DNS attack that is trying to send you to a different host (as determined by the keys) so you would need to get each client to forget the server keys for the machine(s) you are replacing the keys on and re-validate them all, or manually replace the old key with the new on all the clients.

You need to consider all the names that the clients could refer to the server as, be that IP, local hosts, DNS short name, fully qualified DNS name, DNS alias etc. and look for those in ~/.ssh/known_hosts

You will need to do this for every account on every client, so it is not a thing to be done lightly, especially if there are multiple automated jobs that connect with SSH, SCP, SFTP etc. that you need to ensure are not disrupted.

Sorry if I've made you panic, but better that than a massive failure.

I hope that this helps,
Robin

solaris_1977 · July 8, 2019, 12:18pm

Hi Robin. Yes, it is bit more work and will deal with it. Thanks