I got instructions from Security audit team for Solaris-10 server. They mentioned - "The sshd configuration on the host supported weak host keys and allowed password authentication on Solaris server. Enable stronger keys (2048 or 4096 bit)".
I am not clear enough, what they mean by weak ssh host keys. If it is keys under .ssh directories of all home directories, I browsed and found that only two users have id_dsa.pub and id_dsa under their .ssh directory. Do I need to change something on this ?
Both users (non-root) used to run "ssh-keygen -t dsa" to generate their keys for passwordless login to another node.
Do I need to ask them to delete their keys and create new one with "ssh-keygen -b 2048 -t rsa" or "ssh-keygen -b 4096 -t rsa" and share new keys to target server ?
Please correct me, if I am missing something.
Yes, when you replace keys you need to repeat the same process as when you first installed them.
Normally, you do not need to delete the old keys, as the system will take care of it.
I did this recently (between my MacPro and Linux servers) and simply generated new keys and then installed per the normal install process and all worked out fine.
On Solaris, I am guessing the process is similar, but I don't have any Solaris boxes to play with, sorry.
Just came across this. One thing to be aware of is that all clients will object when you next try to connect them. They will alert on there being a possible man-in-the-middle attack or a DNS attack that is trying to send you to a different host (as determined by the keys) so you would need to get each client to forget the server keys for the machine(s) you are replacing the keys on and re-validate them all, or manually replace the old key with the new on all the clients.
You need to consider all the names that the clients could refer to the server as, be that IP, local hosts, DNS short name, fully qualified DNS name, DNS alias etc. and look for those in ~/.ssh/known_hosts
You will need to do this for every account on every client, so it is not a thing to be done lightly, especially if there are multiple automated jobs that connect with SSH, SCP, SFTP etc. that you need to ensure are not disrupted.
Sorry if I've made you panic, but better that than a massive failure.