-1

I am being tasked to remove ssh-keygen from Ubuntu servers and I don't want to break the computer. Can you please help, how to uninstall ssh-keygen utility safely?

Thanks

Bhalu
  • 3
  • 1
  • 3
  • 4
    Why on earth would you want to do that? That's completely useless. – Gerald Schneider Jul 23 '20 at 06:12
  • Even if you remove the binary, user can just create SSH keys on another machine. – Gerald Schneider Jul 23 '20 at 06:18
  • Put your servers into docker containers – Jacob Evans Jul 23 '20 at 11:54
  • 2
    And even if you remove it, it will just be reinstalled by the system later when openssh gets upgraded. There is also no point to this. It serves no valid security or operations purpose. Worse, it will make life difficult for the system's users, who have a legitimate need to create their own ssh keys. – Michael Hampton Jul 23 '20 at 12:51
  • @GeraldSchneider - I agree on all of your comments. The idea is to force the user to make use single copy of customized ssh-keygen version to meet the security requirement instead of using individual server ssh-keygen. I agree that user can create keys on their laptop and use their keys. we clean up the keys if keys are not passed phrase. – Bhalu Jul 23 '20 at 18:03
  • @MichaelHampton - I will clean up weekly. – Bhalu Jul 23 '20 at 18:04
  • @JacobEvans - That's not the option for me now. – Bhalu Jul 23 '20 at 18:04

1 Answers1

2

You can easily check what package a file belongs to on Debian based systems using dpkg -S

user@host:~$ which ssh-keygen
/usr/bin/ssh-keygen
user@host:~$ dpkg -S /usr/bin/ssh-keygen
openssh-client: /usr/bin/ssh-keygen

So, the file belongs to openssh-client. The clean way would be to remove that package.

user@host:~$ sudo apt remove openssh-client

This will of course remove the ssh client completely. If that is not what you want, you can just remove or replace the binary. I'd guess changes are low that it is used by other packages.

As noted by Michael Hampton this is not really an option since it would just reappear when the package is updated.

Or you could replace openssh-client with lsh-client, which is another implementation of the SSH2 protocol. The package doesn't seem to contain other tools for key management, but I have no experience using it.

Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79
  • remove or replace the binary seems to be the way for now. Thank you for your suggestions. – Bhalu Jul 23 '20 at 18:07
  • @Bhalu as Michael Hampton noted in his comment on the question this is not really an option. I didn't think this through. – Gerald Schneider Jul 24 '20 at 05:53
  • Noted. I am planning to perform this task in 2 folds. Schedule(maybe weekly) a cleanup activity which will remove the ssh-keygen binary Schedule(weekly perhaps) a cleanup activity which will remove ssh un-pass-phrased keys from the server. I am thus forcing the users to use tailor-made ssh-keygen utility which enforces pass phrased key generation. I have already implemented 2FA(limited servers), but on a vast scale, it is not the way for me now. – Bhalu Jul 24 '20 at 15:54