Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] How to regenerate SSH host keys on Junos devices in shell

0

0

Article ID: KB24078 KB Last Updated: 03 Aug 2019Version: 3.0
Summary:

This article provides information on how to generate SSH host keys using various commands in shell mode.

Symptoms:

You may not be able to connect to a Junos router/switch/firewall and see the following log messages on the device:

juniper01 sshd[951]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key
juniper01 sshd[951]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
juniper01 sshd[951]: Disabling protocol version 2. Could not load host key
juniper01 sshd[951]: sshd: no hostkeys available -- exiting.
juniper01 inetd[820]: /usr/sbin/sshd[951]: exited, status 1
Solution:

To resolve this issue, regenerate the SSH host keys. Follow this procedure:

  1. Log in to the router with root account:
    user@junos> start shell user root
    Password:
    root@junos%

  2. Regenerate host keys: At shell prompt enter the following commands:
    root@junos% ssh-keygen -t ecdsa -b 384 -f /etc/ssh/ssh_host_dsa_key
    root@junos% ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key

These commands will prompt for a passphrase, but it should be left blank, as this is not used for outgoing connections.

After this, the device will regenerate the keys.
 

Note 1: It may say “key already exists” but you have to overwrite.

Note 2: It may also say it does not exist. If this happens, the ssh directory may be missing and you will need to create the directory.

user@junos% mkdir /etc/ssh

If you get an error that this already exists, you may be on a version of Junos where the /etc/ssh is a link to another directory.

root@junos% ls -al /etc/ssh
lrw-r--r--  1 root  wheel  11 Dec 31  2018 /etc/ssh -> /cf/etc/ssh

And then you will need to check it, which will probably be another link.

root@junos% ls -al /cf/etc/ssh
lrwxr-xr-x  1 root  wheel  11 Feb  1 14:29 /cf/etc/ssh -> /var/db/ssh


root@junos% ls -al /var/db/ssh
ls: /var/db/ssh: No such file or directory


This is the directory we will need to create.
root@junos% mkdir /var/db/ssh
root@junos%

They you can run the ssh-keygen commands above.

Modification History:
2019-08-03: Updated instructions from EX devices to include all Junos devices. Also, added additional instructions for a common error.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search