12-07-2019, 02:56 PM
One other thing that probably should be done, is re-create the host SSH keys. SSH host keys should be unique per host. From what I can tell, the default Debian comes with host SSH keys already created from July 11, 2019;
Plus, remove the in-secure DSA host key.
Here is how to do it.
As user "root", simply run the following commands. If you like, you can put the hostname in the comment, like "MyHost rsa hostkey".
Note that you will be asked for a passphrase. Per SSH manual page, host keys must have an empty passphrase. Simply hit return when prompted, (twice per key).
Code:
# ls -l ssh_host_*
-rw------- 1 root root 668 Jul 11 16:55 ssh_host_dsa_key
-rw-r--r-- 1 root root 609 Jul 11 16:55 ssh_host_dsa_key.pub
-rw------- 1 root root 227 Jul 11 16:55 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 181 Jul 11 16:55 ssh_host_ecdsa_key.pub
-rw------- 1 root root 411 Jul 11 16:55 ssh_host_ed25519_key
-rw-r--r-- 1 root root 101 Jul 11 16:55 ssh_host_ed25519_key.pub
-rw------- 1 root root 1675 Jul 11 16:55 ssh_host_rsa_key
-rw-r--r-- 1 root root 401 Jul 11 16:55 ssh_host_rsa_key.pubHere is how to do it.
As user "root", simply run the following commands. If you like, you can put the hostname in the comment, like "MyHost rsa hostkey".
Code:
cd /etc/ssh
rm ssh_host_*
ssh-keygen -t 4096 -t rsa -C "rsa hostkey" -f ./ssh_host_rsa_key
ssh-keygen -t 521 -t ecdsa -C "ecdsa hostkey" -f ./ssh_host_ecdsa_key
ssh-keygen -t ed25519 -C "ed25519 hostkey" -f ./ssh_host_ed25519_key
--
Arwen Evenstar
Princess of Rivendale
Arwen Evenstar
Princess of Rivendale