[lug] Curious About /etc/ssh/keys

D. Stimits stimits at comcast.net
Thu Dec 3 11:59:55 MST 2020 

> On 12/03/2020 11:49 AM Zan Lynx <zlynx at acm.org> wrote:
> 
>  
> On 12/3/20 11:16 AM, D. Stimits wrote:
> > Hi,
> > I am curious about the generation of the keys for identifying a specific 
> > host under "/etc/ssh/...various keys...". There are all flavors of Linux 
> > distributions, and different package management systems. Does anyone 
> > happen to know if it is "traditional" (or at least common) to have the 
> > package generate new random keys for each machine, such that installing 
> > several systems won't leave all systems with the same key?
> 
> That is the only thing that makes any sense. You do not want every 
> system to share the same keys.
> 
> Some distributions do this during package installation. I believe Debian 
> and Ubuntu do it that way. Others do it during startup. Redhat and 
> Fedora have a sshd-keygen boot service that generates keys.
> 
> > Basically it makes sense to have those keys randomly generated at the 
> > time of installing, and mostly I am thinking of Ubuntu and Fedora, but 
> > can anyone here think of any distributions where installing many 
> > machines would leave them all with the same key? Or does this seem to 
> > follow the logical idea of pseudo random key generation during system 
> > install?
> 
> There have been problems in the past with IoT systems, or things like 
> Wi-Fi routers where each system is so identical that it generates a key 
> from the same set of keys. I seem to recall reading about one router 
> that would generate one of about 4,096 keys because the only difference 
> in the random numbers and timings during boot was from tiny amounts of 
> thermal noise.
> 
> That's what can happen when you ignore random entropy requirements and 
> read from /dev/urandom. This isn't much of a worry using standard 
> kernels on x86 hardware.
> 
> And of course every kind of mistake has been made with IoT systems, 
> including generating SSH keys in the base image and then duplicating 
> them into every copy of the system.
> 

Recently I've been testing different installs on a PC, but much of my curiosity is because of also flashing and installing different embedded devices (designed to be useful as IoT), so you've hit the proverbial nail on the head for what started my curiosity.

> -- 
>                  Knowledge is Power -- Power Corrupts
>                          Study Hard -- Be Evil
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety

More information about the LUG mailing list