This article provides information on how to generate SSH host keys using various commands in shell mode.

You may not be able to connect to a Junos router/switch/firewall and see the following log messages on the device:

To resolve this issue, regenerate the SSH host keys. Follow this procedure:

1. Log in to the router with root account:
   user@junos> start shell user root
Password:
root@junos%


2. Regenerate host keys: At shell prompt enter the following commands:
   root@junos% ssh-keygen -t ecdsa -b 384 -f /etc/ssh/ssh_host_dsa_key
root@junos% ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key

These commands will prompt for a passphrase, but it should be left blank, as this is not used for outgoing connections.

After this, the device will regenerate the keys.
 

Note 1: It may say “key already exists” but you have to overwrite.

Note 2: It may also say it does not exist. If this happens, the ssh directory may be missing and you will need to create the directory.

user@junos% mkdir /etc/ssh

If you get an error that this already exists, you may be on a version of Junos where the /etc/ssh is a link to another directory.

root@junos% ls -al /etc/ssh
lrw-r--r--  1 root  wheel  11 Dec 31  2018 /etc/ssh -> /cf/etc/ssh

root@junos% ls -al /cf/etc/ssh
lrwxr-xr-x  1 root  wheel  11 Feb  1 14:29 /cf/etc/ssh -> /var/db/ssh

root@junos% ls -al /var/db/ssh
ls: /var/db/ssh: No such file or directory

This is the directory we will need to create.
root@junos% mkdir /var/db/ssh
root@junos%

They you can run the ssh-keygen commands above.

2019-08-03: Updated instructions from EX devices to include all Junos devices. Also, added additional instructions for a common error.