Table of contents
This page describes what to do in case of an Icinga alert. For more information you could search the govuk-puppet repo for the source of the alert

‘duplicate SSH host keys’

This check indicates that more than one machine in an environment is using the same SSH host key. This is bad because it means that we can’t verify the authenticity of a particular host and it could be used in a MITM attack.

The check will list the affected machines and key fingerprints. To determine which key the fingerprint belongs to (RSA, DSA or ECDSA) you can run the following command on the host:

for file in /etc/ssh/ssh_host_*.pub; do sudo ssh-keygen -lf $file; done

The immediate problem can be resolved by deleting the host keys and regenerating them with dpkg-reconfigure openssh-server. However you need to bear in mind that the:

  • root cause in templating/provisioning also needs to be fixed
  • key change should be communicated to all people with login accounts
This page is owned by #2ndline and needs to be reviewed