Fixing empty SSH keys


If you put the ssh_host* keys into your negative transcript (and you should), make sure they are stored as empty files on the server, or you may end of with lots of machines sharing the same keys. On the other hand, you run a risk of empty ssh_host* keys being delivered to your machines, which prevents SSH from starting. Here's a fix.

Once again, I run this script as part of a custom StartupItem. It simply looks for zero-length ssh_host* keys and generates valid replacements.

##################################################################
# SSH
##################################################################

# fix empty ssh host keys
echo "Checking ssh host keys"
if [ -f /etc/ssh_host_key ]; then
    if [ ! -s /etc/ssh_host_key ]; then
        rm /etc/ssh_host_key
        echo "Generating ssh host RSA1 key..."
        ssh-keygen -t rsa1 -f /etc/ssh_host_key -N "" -C "$(hostname)"
    fi
fi
if [ -f /etc/ssh_host_rsa_key ]; then
    if [ ! -s /etc/ssh_host_rsa_key ]; then
        rm /etc/ssh_host_rsa_key
        echo "Generating ssh host RSA key..."
        ssh-keygen -t rsa -f /etc/ssh_host_rsa_key -N "" -C "$(hostname)"
    fi
fi
if [ -f /etc/ssh_host_dsa_key ]; then
    if [ ! -s /etc/ssh_host_dsa_key ]; then
        rm /etc/ssh_host_dsa_key ];
        echo "Generating ssh host DSA key..."
        ssh-keygen -t dsa -f /etc/ssh_host_dsa_key -N "" -C "$(hostname)"
    fi
fi

Posted: Wed - November 12, 2003 at 10:17 PM      

©