Generate Ssh_host_ecdsa_key

  • Vagrant@testhost:$ step ssh certificate -host testhost sshhostecdsakey Generate your own PKI for step-ca. We recommend using your own PKI for usage outside of this example. You can initialize your step-ca with both X509 and SSH certificates using the following command.
  • Apr 12, 2018 SSH-key-based authentication provides a more secure alternative to password-based authentication. In this tutorial we'll learn how to set up SSH-key-based authentication on a CentOS 7 installation.

Objective

On NetScaler's SSH implementation, we use a 2048 RSA Key and 1024 DSA Key for SSH.
For some security scans, the 1024 DSA Key size can cause alerts.
These would be considered negligible alerts and if the security of the SSH access is a concern, please upgrade to the latest version of 12.0 onwards and follow CTX209398
With this being said, you can change the Host Keys on NetScaler to switch the DSA key with a more secure ECDSA key.
Please note, when making changes to the SSH parameters of a NetScaler, this may cause conflicts with other devices connecting or managing NetScaler using SSH (e.g. ADM)
Please always take a backup of all modified files and test within a controlled environment before making any of these changes.

Instructions

Log onto the NetScaler, via SSH and drop into the shell.
From here, run the command 'ssh-keygen -t ecdsa -b 521' to generate a Public-Private ECDSA Key Pair, using the 521 curve.
https://www.ssh.com/ssh/keygen/
During the instruction steps, press Enter on each to use the defaults.
We do not want to encrypt the keys:
After doing this use the command 'mv /root/.ssh/id_ecdsa* /nsconfig/ssh/' to move the newly created keys to the SSH Directory.
Then rename the keys to the correct naming convention using the mv commands, as below.
The directory should look at below:
root@NS-LAB# mv /root/.ssh/id_ecdsa* /nsconfig/ssh/
root@NS-LAB# mv /nsconfig/ssh/id_ecdsa /nsconfig/ssh/ssh_host_ecdsa_key
root@NS-LAB# mv /nsconfig/ssh/id_ecdsa.pub /nsconfig/ssh/ssh_host_ecdsa_key.pub
root@NS-LAB#
root@NS-LAB#
root@NS-LAB# ls -l /nsconfig/ssh/
total 16
-rw------- 1 root wheel 668 Jan 31 21:23 ssh_host_dsa_key
-rw-r--r-- 1 root wheel 601 Jan 31 21:23 ssh_host_dsa_key.pub
-rw------- 1 root wheel 365 Feb 1 15:22 ssh_host_ecdsa_key
-rw-r--r-- 1 root wheel 265 Feb 1 15:22 ssh_host_ecdsa_key.pub
-rw------- 1 root wheel 972 May 22 2018 ssh_host_key
-rw-r--r-- 1 root wheel 637 May 22 2018 ssh_host_key.pub
-rw------- 1 root wheel 1675 May 22 2018 ssh_host_rsa_key
-rw-r--r-- 1 root wheel 389 May 22 2018 ssh_host_rsa_key.pub
Finally, we now need to edit the SSH configuration file to stop using DSA and use the ECDSA in its place.
Make a copy of the /nsconfig/sshd_config file, by running the command 'cp /nsconfig/sshd_config /nsconfig/sshd_config.bkp'
You can edit the config file, using the command 'ee /nsconfig/sshd_config', then edit the below line, to point to the new key:
You can then use Esc and then follow the prompts to save the file.
Please use 'cat' on the file to confirm it has been written to correctly.
After doing this, please restart the SSH process by checking the pid:
root@NS-LAB# ps -auxx grep sshd
root 989 0.0 0.1 27312 2284 ?? Is 9:23PM 0:00.08 /usr/sbin/sshd -f /etc/sshd_config
root 96331 0.0 0.3 27312 4824 ?? Ss 3:22PM 0:00.05 sshd: nsroot@pts/0 (sshd)
root 97645 0.0 0.1 9096 1384 0 S+ 3:36PM 0:00.00 grep sshd
Then run the command 'kill -HUP 989'

Host keys are just ordinary SSH key pairs.Each host can have one host key for each algorithm. You should get an SSH host key fingerprint along with your credentials from a server administrator in order to prevent man-in-the-middle attacks.

Disclaimer

Generate Ssh_host_ecdsa_key File

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.