When a host key is duplicated or suspected compromised, replace it quickly and safely to restore trust. 20.12.2025 | reading time: 2 min Unique host keys prove a server's identity; when an image is cloned, a key is leaked, or a compromise is suspected, regenerate the host keys to restore trust and avoid man-in-the-middle attacks. Hands-on walkthrough Example: on a server named webserver-01 back up existing keys, generate replacements, and restart SSH using: ```sudo mkdir -p /root/ssh_host_backup && sudo mv /etc/ssh/ssh_host_* /root/ssh_host_backup/; sudo ssh-keygen -A; sudo systemctl restart sshd || sudo systemctl restart ssh``` and on a client remove the old entry and connect: ```ssh-keygen -R webserver-01; ssh user@webserver-01``` which will prompt to accept the new host key. What the commands do The `ssh-keygen -A` call creates all missing host keys non-interactively for the types configured in `sshd_config`; moving the old `/etc/ssh/ssh_host_*` files provides a safe rollback, and restarting the ssh service activates the new keys immediately. Client and fleet considerations Clients will see a mismatch and refuse connection until the old key is removed from `~/.ssh/known_hosts` or updated; for many hosts automate with `ssh-keyscan` and configuration management, and for Debian-family systems `sudo dpkg-reconfigure openssh-server` can also regenerate keys. Key choices and hardening Prefer modern key types such as ed25519 or rsa with 3072+ bits when generating individually via e.g. ```sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''``` and consider backing up keys securely if you need persistent identity across rebuilds. Wrap-up and next steps Regenerating host keys is a short, high-impact operation that restores server identity and reduces risk; practice it in a lab, script safe backups, and integrate the step into incident playbooks to react quickly. Join Bits & Bytes Academy First class LINUX exam preparation. security network utilities backup troubleshooting
