Ssh – Why does Google recommend removing SSH keys from GCE for security

cloudcloud computinggoogle-compute-enginehostkeyssh

The below reference to Google documentation is no longer true.

Google recommends removing SSH keys from GCE instance to secure SSH. That does not make any sense to me. The keys are there for a security, right? When I remove the keys, SSHD stops working. I probably miss their point. Can someone explain what do the mean by this:

Remove ssh host keys

Don't use ssh host keys with your instance. Remove them as follows:
rm /etc/ssh/ssh_host_key
rm /etc/ssh/ssh_host_rsa_key*
rm /etc/ssh/ssh_host_dsa_key*
rm /etc/ssh/ssh_host_ecdsa_key*

Best Answer

The critical detail is that the page you've referenced is about creating a new Compute Engine machine image. Specifically, when you create a new virtual machine image, you want to ensure it does NOT include any host keys. That way, when the image is cloned and reconstituted into an actual VM, the sshd startup script will recognize that there are no host keys, and automatically generate new ones. This is desirable because having multiple machines using the same host key is a very bad idea.

So, in the general case, please do not go deleting your host keys, but if you are creating a new image, it's an important step in order to ensure there's a one-to-one relationship between host keys and machines.

Related Solutions

SSH host key is not regenerated after reboot

The reason your ssh host keys aren't re-generated at restart is because they are not supposed to. If you look inside your /etc/init.d/ssh you will see that there are no ssh-keygen commands present.

Sshd on mac does no longer accept connections in inetd (-i) mode, but does in do not detach mode (-D), how to fix

It's pretty non-standard to use initd to start anything on a Mac. Instead, launchd is used, kicking off sshd in an ad hoc fashion (ie, it doesn't run as a typical server daemon until there's knock on the door). I suspect that your use of Linux-centric Webmin to manage ssh is contributing to the problem, since Webmin doesn't know a whole lot about launchd.

First, make sure the ssh launchd item is configured to load, just to eliminate the obvious.

sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist

This is akin to ticking the box on Server Admin.app in the Settings options to enable SSH. Check syslog to see if launchctl is complaining about something.

It's unclear why you would want Webmin to handle SSH, but Apple's default configuration might be illuminating.

There's a launchd item in /System/Library/LaunchDaemons called sshd.plist. This XML file indicates that /usr/libexec/sshd-keygen-wrapper is used as the "program" that actually kicks off /usr/sbin/sshd using the -i flag. (The sshd-keygen-wrapper program is a shell script to first set up initial rsa and dsa keys in empty user home dirs.) The sshd-keygen-wrapper, however, also kicks off sshd like exec /usr/sbin/sshd $@ and is a trusted/whitelisted program as far as the socket firewall is concerned.

You might also want to grab the default /etc/sshd_config from backup or another machine to eliminate that as a variable in troubleshooting.

Best Answer

Related Solutions

SSH host key is not regenerated after reboot

Sshd on mac does no longer accept connections in inetd (-i) mode, but does in do not detach mode (-D), how to fix

Related Topic