Artificial truth

archives | latest | homepage

The more you see, the less you believe.

How to rotate OpenSSH keys
Fri 24 March 2023 — download

In the light of the Github hastily replacing their RSA ssh host key, I wondered how one could rotate ssh keys properly, without having to manage a PKI, and without having the scary @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ shown to users.

Fortunately, host-key rotation was added in OpenSSH 6.8, almost 10 years ago, and was documented in two blogspots by djm. It's pretty straightforward: one simply has to generate a new key with ssh-keygen, and add it to the /etc/ssh/sshd_config via the Hostkey directive, and to reload sshd.

Because UpdateHostKeys is enabled by default client-side, clients will automatically add and remove keys to UserKnownHostsFile. To mark the key as revoked, it needs to be added to /etc/ssh/ssh_revoked_hosts, and RevokedHostKeys /etc/ssh/ssh_revoked_hosts added to the .ssh/config file. One should also remove the keys from the .ssh/known_hosts file, albeit this will be done automatically once the key is removed from the server's /etc/ssh/sshd_config, upon the client's next connection.

There is currently no way for servers to communicate to the user that a certain key is revoked, except by adding it to RevokedHostsKeys, but this will only prevent users from using it to connect to this particular server, not globally. But this doesn't really matter, since a user will still get the tofu warning.

Also, don't forget to rotate your SSHFP DNS records as well.