SSH automatically generates host keys when the SSH server starts for the first time. This message is normal and expected on new systems or fresh containers, but can be concerning if it happens unexpectedly on an existing server.
When you see "ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519," SSH is creating cryptographic key pairs that uniquely identify your server. Host keys are used to: 1. **Authenticate the server** - Prove that the server is who it claims to be when clients connect 2. **Prevent man-in-the-middle attacks** - Clients can verify they're connecting to the legitimate server by checking the stored host key 3. **Encrypt initial connections** - These keys are used before user authentication begins The message lists the key types being generated: RSA (older but widely supported), DSA (deprecated), ECDSA (elliptic curve), and ED25519 (modern, recommended). Each key type is generated as a pair: a private key (kept secret on the server) and a public key (shared with clients).
This is the default and recommended behavior. SSH will automatically create the necessary key files on first startup:
# The SSH daemon will auto-generate keys at:
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ed25519_keyThis happens automatically and is safe. The keys are unique to your server and stored securely. Clients will cache the public key in their ~/.ssh/known_hosts file after the first connection.
After SSH starts, check that the host keys exist:
ls -la /etc/ssh/ssh_host_*keyYou should see several files:
- ssh_host_rsa_key and ssh_host_rsa_key.pub
- ssh_host_ecdsa_key and ssh_host_ecdsa_key.pub
- ssh_host_ed25519_key and ssh_host_ed25519_key.pub
The private keys should have permissions 600 (readable/writable by root only).
If auto-generation didn't work, you can manually generate them with ssh-keygen -A (which only creates missing keys):
sudo ssh-keygen -AOr generate specific key types manually:
# Generate RSA key (4096-bit)
sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
# Generate ECDSA key
sudo ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N ""
# Generate ED25519 key (recommended, modern)
sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""The -N "" flag sets an empty passphrase (required for host keys).
After generating keys, restart the SSH service:
# On systemd systems (Ubuntu, Debian, RHEL)
sudo systemctl restart ssh
# or
sudo systemctl restart sshd
# On older systems
sudo service ssh restart
# or
sudo service sshd restartVerify it's running:
sudo systemctl status sshKey Type Recommendations:
- ED25519: Most recommended for new deployments. Fastest, most secure, smallest key size, resistant to all known attacks.
- ECDSA: Good alternative with elliptic curve cryptography if ED25519 isn't available.
- RSA: Still widely supported. Use 4096-bit keys if you must use RSA; 2048-bit is no longer considered adequately secure.
- DSA: Deprecated and disabled in newer OpenSSH versions. Do not use.
Docker/Container Note: If you're building Docker images, it's a security risk to pre-generate SSH host keys in the imageβall containers from that image would share the same keys. Instead, generate keys at container startup using an entrypoint script or let the sshd package auto-generate them.
Virtual Machine/Cloud Images: Similar to Docker, VM images should not include pre-generated host keys. They should be generated on first boot to ensure each instance has unique keys.
Regenerating Existing Keys: The command ssh-keygen -A only creates missing keys; it won't overwrite existing ones. To completely regenerate all keys:
sudo rm /etc/ssh/ssh_host_*
sudo ssh-keygen -AThis is useful after cloning VMs or containers, but be aware that clients will see "Host key has changed" warnings because the fingerprint is different.
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH