Table of contents
This page describes what to do in case of an Icinga alert. For more information you could search the govuk-puppet repo for the source of the alert

Icinga alerts

Duplicate SSH host keys

This check indicates that more than one machine in an environment is using the same SSH host key. This is bad because it means that we can’t verify the authenticity of a particular host and it could be used in a MITM attack.

The check will list the affected machines and key fingerprints. To determine which key the fingerprint belongs to (RSA, DSA or ECDSA) you can run the following command on the host:

for file in /etc/ssh/ssh_host_*.pub; do sudo ssh-keygen -lf $file; done

The immediate problem can be resolved by deleting the host keys and regenerating them with dpkg-reconfigure openssh-server.

However, bear in mind that the:

  • root cause in templating/provisioning also needs to be fixed
  • key change should be communicated to all people with login accounts

It is also important to keep in mind that this check uses Puppetdb to query the facts ‘sshdsakey’, 'sshecdsakey’ and 'sshrsakey’ and find duplicated values. The check assumes some default values that might change with the time, or there could be a problem with Puppetdb itself.

For more information, check the source of the check in

This page was last reviewed on 20 February 2019. It needs to be reviewed again on 20 August 2019 by the page owner #govuk-2ndline .
This page was set to be reviewed before 20 August 2019 by the page owner #govuk-2ndline. This might mean the content is out of date.