15

The below reference to Google documentation is no longer true.

Google recommends removing SSH keys from GCE instance to secure SSH. That does not make any sense to me. The keys are there for a security, right? When I remove the keys, SSHD stops working. I probably miss their point. Can someone explain what do the mean by this:

Remove ssh host keys

Don't use ssh host keys with your instance. Remove them as follows:

rm /etc/ssh/ssh_host_key
rm /etc/ssh/ssh_host_rsa_key*
rm /etc/ssh/ssh_host_dsa_key*
rm /etc/ssh/ssh_host_ecdsa_key*
Martin Prikryl
  • 7,327
  • 2
  • 36
  • 71
  • 2
    The document recommends enabling `StrictHostKeyChecking` and later recommends disabling it. I suspect it isn't a very carefully edited document. My advice is to trust your own judgment, and use host keys unless there's a good reason not to. – aecolley Aug 29 '14 at 17:06
  • @aecolley I've noticed that as well. I have submitted a feedback to them. Will see if they come back to me. – Martin Prikryl Sep 02 '14 at 05:41
  • 1
    I've elaborated below, but it boils down to context -- the page you're looking at is giving advice for creating new images, not for generally securing a machine. I'll get the docs updated to include more detail around when and why you'd want to delete your host keys, as the reasons aren't clear. – Benson Sep 09 '14 at 21:19

2 Answers2

13

The only possible reason I can think of is that they want to force you to regenerate new keys.
As these keys were generated before you had access they may not be trusted.
Removing them and restarting sshd will regenerate the keys for you.
However the document doesn't really make that clear.

This is pure speculation and it would be better to contact them and get clarification on this.

faker
  • 17,326
  • 2
  • 60
  • 69
  • 4
    Thanks for your response. I need to ssh to the server to restart the `sshd`. But to connect I need to accept the "untrusted" server's host key. So anything I do during this session cannot be trusted. Even the restarting of the sshd. Right? – Martin Prikryl Aug 29 '14 at 06:57
  • 1
    I guess the main concern would be that for some reason another customer gets the same keys as you (note: this doesn't enable them to access your instance but makes it easier to man-in-the-middle attack you). If you don't trust the provider of the image, then you shouldn't run anything there (they practically have physical access). – faker Aug 29 '14 at 07:04
  • 1
    IIRC there's been [some research](https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs/) that shows that the quality of entropy in some systems, particularly embedded but that may also include some categories of freshly started started virtual machines, isn't very high. When public keys are generated at first boot, such as the SSH host keys keys those may be predictable. – HBruijn Aug 29 '14 at 09:03
  • @HBruijn Thanks for the comment. But deleting them and letting sshd recreate them on restart does not make them better. You would have to upload your own. But that's not covered in the document. – Martin Prikryl Aug 29 '14 at 10:18
  • 1
    I have submitted a feedback to Google. Will see if they come back to me. – Martin Prikryl Sep 02 '14 at 05:41
12

The critical detail is that the page you've referenced is about creating a new Compute Engine machine image. Specifically, when you create a new virtual machine image, you want to ensure it does NOT include any host keys. That way, when the image is cloned and reconstituted into an actual VM, the sshd startup script will recognize that there are no host keys, and automatically generate new ones. This is desirable because having multiple machines using the same host key is a very bad idea.

So, in the general case, please do not go deleting your host keys, but if you are creating a new image, it's an important step in order to ensure there's a one-to-one relationship between host keys and machines.

Benson
  • 271
  • 1
  • 5
  • 1
    Thanks. This makes sense. Though some explanation would help. *"Don't use ssh host keys with your instance."* is really a confusing phrasing. – Martin Prikryl Sep 10 '14 at 06:36
  • I agree entirely -- thanks very much for pointing that out. I've actually submitted an update to the docs to clarify the wording which I suspect will be pushed out shortly. – Benson Sep 10 '14 at 18:26
  • 1
    The updated docs are now live: https://developers.google.com/compute/docs/images#removesshkeys – Benson Sep 10 '14 at 18:37