How to regenerate SSH client keys

Recently, a SSH client bug was discovered that could let the server read client private keys in some situations.

If you’re affected, then follow these steps. Regular users of SSH may be familiar with the commands used.

If you use public key authentication

If you do use keys to authenticate, you should regenerate them. Start by backing up your old key. Assuming it’s at the default location, just use-

1
2

$ mv ~/.ssh/id_rsa ~/.ssh/id_rsa.old
$ mv ~/.ssh/id_rsa.pub ~/.ssh/id_rsa.pub.old

Next, create or edit ~/.ssh/config, and add the following line. This disables the roaming feature, which was part of the problem:

1

UseRoaming no

Generate new keys:

1
2
3
4
5
6
7

$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/example/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/example/.ssh/id_rsa.
Your public key has been saved in /home/example/.ssh/id_rsa.pub.

Now copy the new public key over, using the old keys. You would normally use ssh-copy-id, but it adds keys rather than replacing them, which is why we need to do it manually:

1

scp -i ~/.ssh/id_rsa.old ~/.ssh/id_rsa.pub user@example.com:/home/user/id_rsa.pub.new

SSH in with the old key:

1

ssh -i ~/.ssh/id_rsa.old

Replace all current authorized keys with the newly generated one:

1
2

mv -f id_rsa.pub.new ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Logout, log back in with the new key to make sure it works, and you’re done.

If you don’t use public keys

If you don’t use keys for login, now could be a good time to start. Public-key authentication provides much stronger protection from brute force attacks, and also prevents the need for the server to be sent your password each time you log in.

Create or edit ~/.ssh/config as above, and make sure it contains this line-

1

UseRoaming no

Generate a keypair and add your public key to the server-

1
2

ssh-keygen
ssh-copy-id user@example.com

Test it out:

1

ssh user@example.com

At his point, you should disable password-based authentication in OpenSSH server. If you don’t control the server’s SSH configuration, then just set a good random password for your account to prevent it being brute-forced:

1
2

openssl rand -base64 32
cat /dev/urandom | head -c32 | base64

Set it on your account:

1

passwd

Update 2017-10-22: Updated to correct errors in the commands.

Last updated on Aug 06, 2025 23:13 -0400
© 2007 - 2025 Michael Billington