There seems to be a big security issue when cloud providers ( and customers ) clone virtual machines and provide this master VM for provisioning VPS Machines for customers. When Digital Ocean was informed by its customers ( see comments ) that this was an issue it took them over 4 months to notify other customers about the potential security issue of duplicate SSH keys for every customer that provisioned a new VM from them.
Luckily for DO they have rectified the issue but we thought we would share our simple method of what we do to guarantee that all SSH keys are unique for every customer. There are many ways of doing this but we found this the easiest:-
If you don’t have an rc.local file in /etc then create it.
sudo nano /etc/rc.local
Paste the following bash script that we use and any one can use.
#!/bin/bash sudo rm /etc/ssh/ssh_host_* test -f /etc/ssh/ssh_host_dsa_key || dpkg-reconfigure openssh-server sudo service ssh start sudo rm /etc/rc.local
Save the script using ctrl-o and exit
chmod 755 /etc/rc.local
chmod +x /etc/rc.local
to make the script executable
Thats it.
Once you reboot the script remove the current SSH keys and regenerate new keys and then it will restart the SSH service. Once done it will remove the rc.local script so it does not generate new keys after each reboot.
1 Comment
OneHost Cloud
This is an often overlooked aspect when cloning virtual machines and is a major security issue for man-in-the-middle attacks.