Title: How to rotate OpenSSH keys
Date: 2023-03-24 15:45

In the light of the [Github hastily replacing their RSA ssh host key](https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/),
I wondered how one could rotate ssh keys properly, without having to manage a
[PKI](https://en.wikipedia.org/wiki/Public_key_infrastructure), and without
having the scary `@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @` shown
to users.

Fortunately, host-key rotation was [added in OpenSSH
6.8](https://lwn.net/Articles/637156/), almost 10 years ago, and was documented
in [two](http://blog.djm.net.au/2015/02/key-rotation-in-openssh-68.html)
[blogspots](http://blog.djm.net.au/2015/02/hostkey-rotation-redux.html) by
[djm](https://twitter.com/damienmiller). It's pretty straightforward: one
simply has to generate a new key with `ssh-keygen`, and add it to the
`/etc/ssh/sshd_config` via the `Hostkey` directive, and to *reload* sshd.

Because `UpdateHostKeys` is enabled by default client-side, clients will
automatically **add** and **remove** keys to `UserKnownHostsFile`. To mark the
key as revoked, it needs to be added to `/etc/ssh/ssh_revoked_hosts`, and 
`RevokedHostKeys /etc/ssh/ssh_revoked_hosts` added to the `.ssh/config` file. One
should also remove the keys from the `.ssh/known_hosts` file, albeit this will
be done automatically once the key is removed from the server's
`/etc/ssh/sshd_config`, upon the client's next connection.

There is currently no way for servers to communicate to the user that a certain
key is revoked, except by adding it to `RevokedHostsKeys`, but this will only
prevent users from using it to connect to this particular server, not globally.

Also, don't forget to rotate your [SSHFP](https://en.wikipedia.org/wiki/SSHFP_record)
DNS records as well.