Skip to main content
This page describes what to do in case of an Icinga alert. For more information you could search the govuk-puppet repo for the source of the alert
Warning This document has not been updated for a while now. It may be out of date.
Last updated: 5 Apr 2022

Duplicate SSH host keys

This check indicates that more than one machine in an environment is using the same SSH host key. This is bad because it means that we can’t verify the authenticity of a particular host and it could be used in a MITM attack.

The check will list the affected machines and key fingerprints. To determine which key the fingerprint belongs to (RSA, DSA or ECDSA) you can run the following command on the host:

for file in /etc/ssh/ssh_host_*.pub; do sudo ssh-keygen -lf $file; done

The immediate problem can be resolved by deleting the host keys and regenerating them with dpkg-reconfigure openssh-server.

However, bear in mind that the:

  • root cause in templating/provisioning also needs to be fixed
  • key change should be communicated to all people with login accounts

It is also important to keep in mind that this check uses Puppetdb to query the facts ‘sshdsakey’, ‘sshecdsakey’ and ‘sshrsakey’ and find duplicated values. The check assumes some default values that might change with the time, or there could be a problem with Puppetdb itself.

For more information, check the source of the check here