An SSH server uses host keys to uniquely identify itself to connecting clients. These keys are normally automatically regenerated each time a new installation is done.

Due to an error in the installation software introduced on April 10th, 2015, the Ed25519 SSH host keys (/etc/ssh/ssh_host_ed25519_key) on the standard images were no longer automatically regenerated.

This resulted in identical Ed25519 SSH host keys for each affected OS image.

An attacker may use this to compromise or eavesdrop on the communication between the client and the server using a man-in-the-middle attack.

Affected images

    • CentOS-71-64-minimal
    • CentOS-72-64-minimal
    • Debian-80-jessie-64-LAMP
    • Debian-80-jessie-64-minimal
    • Debian-81-jessie-64-LAMP
    • Debian-81-jessie-64-minimal
    • Debian-82-jessie-64-LAMP
    • Debian-82-jessie-64-minimal
    • Ubuntu-1404-trusty-64-minimal
    • Ubuntu-1410-utopic-64-minimal
    • Ubuntu-1504-vivid-64-minimal
    • Ubuntu-1510-wily-64-minimal
    • openSUSE-132-64-minimal
    • openSUSE-421-64-minimal

Exchange / generation of Ed25519 SSH host keys procedure

To replace the affected key, simply use “ssh-keygen” to create a new key and overwrite the existing one.

 # ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
 Generating public/private ed25519 key pair.
 /etc/ssh/ssh_host_ed25519_key already exists.
 Overwrite (y/n)? y
 Your identification has been saved in /etc/ssh/ssh_host_ed25519_key.
 Your public key has been saved in /etc/ssh/
 The key fingerprint is:
 d5:1d:28:01:f7:c5:0f:fb:7b:43:07:08:1f:93:1c:c6 [email protected]
 The key's randomart image is:
 +--[ED25519 256]--+
 |        ..o+o=o  |
 |         .o+Eoo. |
 |          .+o+.+ |
 |         .  o o .|
 |        S      o |
 |               .o|
 |              . o|
 |               o.|
 |                o|

In unaffected images or operating systems which have SSH that still does not support Ed25519 keys, an error message is displayed:

# ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
unknown key type ed25519

Afterwards, the SSH daemon must be restarted, or the server rebooted to apply the new key. Please note that now when re-connecting to the server, a warning may appear.

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
MD5: d5:1d:28:01:f7:c5:0f:fb:7b:43:07:08:1f:93:1c:c6
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/user/.ssh/known_hosts:1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle  attacks.
Permission denied (publickey,password).

If the fingerprint displayed conforms to the previously generated new key, the relevant line can be deleted from the “known_hosts” file.