Don't Get Locked Out of Your Server

Learn how to view authentication logs on Linux systems and analyze them for SSH errors. We will also see some automated bot spams in action.

Table of Contents 📖

• Authentication Logs
• What Does This Mean?
• What I Did

Authentication Logs

As I recommend anyone with a public facing server does, I was viewing the authentication logs for my blog website. Besides the typical array of bot spams, I also had an error message that continuously appeared.

INFO: Authentication logs are located in the /var/log/auth.log file. This file records authentication related events (such as login attempts) on Linux systems.

Oct 25 15:28:01 blog sshd[15947]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Oct 25 15:28:01 blog sshd[15947]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

These error messages would appear whenever an SSH client attempted to connect to my server. If you don't know, the SSH protocol requires a server to prove its identity to clients with host keys. Here, my SSH server (sshd) is trying to load its configured host keys to authenticate itself with the client. However, these keys are missing: ssh_host_ed25519_key and ssh_host_ecdsa_key.

What Does This Mean?

As these keys were missing, the SSH server would fallback to the key it did have: ssh_host_rsa_key. However, I am lucky that this key is still available! If this key was missing too then no host keys would be available and SSH clients would be unable to verify the identity of my server. This means I would be locked out of my server!

ERROR: If there are no valid host keys available then SSH connections fail!

If you are curious as to how this is configured, usually it is the /etc/ssh/sshd_config file. Specifically, the HostKey lines. An example is below:

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

What I Did

To be honest, I am not sure how these keys disappeared. However, it was an easy fix to remove these error messages. I simply ran the following command to generate the missing keys:

ssh-keygen -A

This command creates all default host keys. Now when I observe my authentication logs I no longer see these error messages. So I guess I should be thanking the bots for pointing out this potential flaw in my system!