Re: Does Debian rotate host SSH keys on a server?

Wed, 29 Apr 2026 06:20:28 -0700 

> The odd thing is, I use ed25519 keys.  The server sent an ed25519 key,
> but my SSH client complained about an ecdsa key.  I did not take note
> if ecdsa was used in the past despite having an ed25519 key.

I'm wondering if this is CVE-2026-35387.

    Christos Papakonstantinou discovered that OpenSSH incorrectly handled
    parsing the PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms
    options. This could result in unintended ECDSA algorithms being used,
    contrary to expectations.

Jeff

On Fri, Apr 10, 2026 at 8:37 PM Jeffrey Walton <[email protected]> wrote:
>
> My bad, I should have posted the SSH warning, too.  The same warning
> was generated on a Fedora 43 machine (fully patched) and a Ubuntu
> 24.04.5 machine (fully patched, too).
>
> The odd thing is, I use ed25519 keys.  The server sent an ed25519 key,
> but my SSH client complained about an ecdsa key.  I did not take note
> if ecdsa was used in the past despite having an ed25519 key.
>
> Jeff
>
> On Fri, Apr 10, 2026 at 8:17 PM Jeffrey Walton <[email protected]> wrote:
> >
> > Hi Everyone,
> >
> > Please forgive my ignorance...  I am running Debian Bookwork on a
> > Hostinger VPS.  I tried to SSH into the machine today, and the host
> > SSH key change warning snapped due to Strict Host Key Checking.
> >
> > My question is, does Debian automatically rotate SSH keys on a server?
> >
> > (I don't ever recall reading or seeing an automatic rotation of an SSH
> > host key.  But I wanted to rule it out before I burn the web server to
> > the ground).
> >
> > Thanks in advance.
>
> $ ssh cryptopp.com
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that a host key has just been changed.
> The fingerprint for the ED25519 key sent by the remote host is
> SHA256:OTLUNQZNIz4A1Cz9/fSEmvyfqxZaGT2xcFcF2yAcYIg.
> Please contact your system administrator.
> Add correct host key in /home/jwalton/.ssh/known_hosts to get rid of
> this message.
> Offending ECDSA key in /home/jwalton/.ssh/known_hosts:33
>   remove with:
>   ssh-keygen -f "/home/jwalton/.ssh/known_hosts" -R "cryptopp.com"
> Host key for cryptopp.com has changed and you have requested strict checking.
> Host key verification failed.

Reply via email to