Security Sense

Personal ramblings of a security professional

Change Kali Linux Default SSH Keys

If you are running Kali Linux as a live image (from a CD/DVD or USB) or have downloaded the VMWare or Vbox image, security best practice is that you should change the SSH keys that are already present in the image.

This is because the keys are the same in every image and an attacker could use this knowledge to conduct a Man in the Middle (MitM) attack on your SSH session.

The keys we need to replace are located in the /etc/ssh directory and have the name format ssh_host_*

-rw------- 1 root root  227 Sep 22  2016 ssh_host_ecdsa_key
-rw-r--r-- 1 root root  171 Sep 22  2017 ssh_host_ecdsa_key.pub
-rw------- 1 root root  399 Sep 22  2017 ssh_host_ed25519_key
-rw-r--r-- 1 root root   91 Sep 22  2017 ssh_host_ed25519_key.pub
-rw------- 1 root root 1679 Sep 22  2017 ssh_host_rsa_key
-rw-r--r-- 1 root root  391 Sep 22  2017 ssh_host_rsa_key.pub

I suggest creating a folder in the /etc/ssh directory and moving the existing keys into it for safe keeping.

root@kali:~$ mkdir /etc/ssh/backup-keys
root@kali:~$ mv /etc/ssh/ssh_host_* /etc/ssh/backup-keys

Once the keys have been moved we can create new keys using the command dpkg-reconfigure openssh-server

root@kali:~$ dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
2048 SHA256:mvAt52noMi7BU4/TWj9pkKYOGvF+Jd8iDA54fEn3HrY root@kali (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:sn2iKR20fLJshc9pU222VSk7ipMdWtg/k6qTcFiMvRU root@kali (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:l63L+2A0qbYBABs4kDeVZxr2WgLyK5zLmZt/S8SMlKw root@kali (ED25519)
insserv: warning: current start runlevel(s) (empty) of script `ssh` overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh` overrides LSB defaults (empty).

You can ignore the warnings in the last two lines of the output as the command has executed successfully.

To confirm that the new keys are different from the default ones run md5sum against both sets of keys and compare the outputs.

root@kali:~$ md5sum /etc/ssh/ssh_host_*
e3d469c240896191066351f3a8368794  /etc/ssh/ssh_host_ecdsa_key
4ead1d20ce610a7f1ae3884b5846ac6b  /etc/ssh/ssh_host_ecdsa_key.pub
984898c5d8e8f21d804cef7328f3f3b4  /etc/ssh/ssh_host_ed25519_key
9523952991ea0b8412184bc21848b9e9  /etc/ssh/ssh_host_ed25519_key.pub
cba13daf15ad99844a5da606524c653e  /etc/ssh/ssh_host_rsa_key
5eb0d0dd1e96c340c3ab4ba2fe0fb8d5  /etc/ssh/ssh_host_rsa_key.pub
root@kali:~$ md5sum /etc/ssh/backup-keys/ssh_host_*
6fe83a1e1d194bae3bf6f7144b34c365  /etc/ssh/backup-keys/ssh_host_ecdsa_key
e62b60b1f3f24004f05824aed96891af  /etc/ssh/backup-keys/ssh_host_ecdsa_key.pub
1a8c458c5f9376a6d8093c2689f3d233  /etc/ssh/backup-keys/ssh_host_ed25519_key
0a467903277e7a44dfbd9bcd377c9b8f  /etc/ssh/backup-keys/ssh_host_ed25519_key.pub
2253eb897e5e2cae4e1d4c26aee3d4b4  /etc/ssh/backup-keys/ssh_host_rsa_key
b9d4b5a1e4cc4e5904735515948aa1cd  /etc/ssh/backup-keys/ssh_host_rsa_key.pub