[lug] Curious About /etc/ssh/keys

[Zan Lynx]

On 12/3/20 11:16 AM, D. Stimits wrote:
> Hi,
> I am curious about the generation of the keys for identifying a specific 
> host under "/etc/ssh/...various keys...". There are all flavors of Linux 
> distributions, and different package management systems. Does anyone 
> happen to know if it is "traditional" (or at least common) to have the 
> package generate new random keys for each machine, such that installing 
> several systems won't leave all systems with the same key?

That is the only thing that makes any sense. You do not want every 
system to share the same keys.

Some distributions do this during package installation. I believe Debian 
and Ubuntu do it that way. Others do it during startup. Redhat and 
Fedora have a sshd-keygen boot service that generates keys.

> Basically it makes sense to have those keys randomly generated at the 
> time of installing, and mostly I am thinking of Ubuntu and Fedora, but 
> can anyone here think of any distributions where installing many 
> machines would leave them all with the same key? Or does this seem to 
> follow the logical idea of pseudo random key generation during system 
> install?

There have been problems in the past with IoT systems, or things like 
Wi-Fi routers where each system is so identical that it generates a key 
from the same set of keys. I seem to recall reading about one router 
that would generate one of about 4,096 keys because the only difference 
in the random numbers and timings during boot was from tiny amounts of 
thermal noise.

That's what can happen when you ignore random entropy requirements and 
read from /dev/urandom. This isn't much of a worry using standard 
kernels on x86 hardware.

And of course every kind of mistake has been made with IoT systems, 
including generating SSH keys in the base image and then duplicating 
them into every copy of the system.

-- 
                 Knowledge is Power -- Power Corrupts
                         Study Hard -- Be Evil