Bash script to rekey a server

Reading time: less than 1 minute

The so called Heartbleed bug in OpenSSL caused it to leak private key material resulting in fully compromised encryption. After patching a server, the servers ssh keys need to be regenerated. This bash script will move current public and private keys to an archive directory, generate new keys, and document the process for auditing.


set -e

archive_dir="/etc/ssh/compromised_keys/$(date +%F)"
mkdir -p $archive_dir

mv /etc/ssh/ssh*_key $archive_dir
mv /etc/ssh/ssh* $archive_dir

ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa >> $archive_dir/regen_log
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa >> $archive_dir/regen_log
ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa >> $archive_dir/regen_log

ssh-keygen -lf /etc/ssh/ssh_host_rsa_key
ssh-keygen -lf /etc/ssh/ssh_host_dsa_key
ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key

Date: 2015-Aug-29
Tags: bash ssh security
Previous: An Arduino test framework
Next: rsync script to backup laptop to network storage

This page was originally published as a github gist and was imported in December 2017.
Original Gist here.