Duplicate SSH Keys When Cloning Virtual Machines

There seems to be a big security issue when cloud providers ( and customers ) clone virtual machines and provide this master VM for provisioning VPS Machines for customers. When Digital Ocean was informed by its customers  ( see comments ) that this was an issue it took them over 4 months to notify other customers about the potential security issue of duplicate SSH keys for every customer that provisioned a new VM from them.

Luckily for DO they have rectified the issue but we thought we would share our simple method of what we do to guarantee that all SSH keys are unique for every customer. There are many ways of doing this but we found this the easiest:-

If you don’t have an rc.local file in /etc then create it.

sudo nano /etc/rc.local

Paste the following bash script that we use and any one can use.

#!/bin/bash
 sudo rm /etc/ssh/ssh_host_*
 test -f /etc/ssh/ssh_host_dsa_key || dpkg-reconfigure openssh-server
 sudo service ssh start
 sudo rm /etc/rc.local

Save the script using ctrl-o and exit

chmod 755 /etc/rc.local
chmod +x /etc/rc.local

to make the script executable

Thats it.

Once you reboot the script remove the current SSH keys and regenerate new keys and then it will restart the SSH service. Once done it will remove the rc.local script so it does not generate new keys after each reboot.

 

  • This is an often overlooked aspect when cloning virtual machines and is a major security issue for man-in-the-middle attacks.