Hi Everyone,

Please forgive my ignorance... I am running Debian Bookwork on a
Hostinger VPS. I tried to SSH into the machine today, and the host
SSH key change warning snapped due to Strict Host Key Checking.

My question is, does Debian automatically rotate SSH keys on a server?

(I don't ever recall reading or seeing an automatic rotation of an SSH
host key. But I wanted to rule it out before I burn the web server to
the ground).

Thanks in advance.

Jeff

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

My bad, I should have posted the SSH warning, too. The same warning
was generated on a Fedora 43 machine (fully patched) and a Ubuntu
24.04.5 machine (fully patched, too).

The odd thing is, I use ed25519 keys. The server sent an ed25519 key,
but my SSH client complained about an ecdsa key. I did not take note
if ecdsa was used in the past despite having an ed25519 key.

Jeff

On Fri, Apr 10, 2026 at 8:17?PM Jeffrey Walton <noloader@gmail.com>
wrote:

Hi Everyone,

Please forgive my ignorance... I am running Debian Bookwork on a
Hostinger VPS. I tried to SSH into the machine today, and the host
SSH key change warning snapped due to Strict Host Key Checking.

My question is, does Debian automatically rotate SSH keys on a server?

(I don't ever recall reading or seeing an automatic rotation of an SSH
host key. But I wanted to rule it out before I burn the web server to
the ground).

Thanks in advance.

$ ssh cryptopp.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is SHA256:OTLUNQZNIz4A1Cz9/fSEmvyfqxZaGT2xcFcF2yAcYIg.
Please contact your system administrator.
Add correct host key in /home/jwalton/.ssh/known_hosts to get rid of
this message.
Offending ECDSA key in /home/jwalton/.ssh/known_hosts:33
remove with:
ssh-keygen -f "/home/jwalton/.ssh/known_hosts" -R "cryptopp.com"
Host key for cryptopp.com has changed and you have requested strict checkin
g.
Host key verification failed.

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Fri, Apr 10, 2026 at 20:37:02 -0400, Jeffrey Walton wrote:

My question is, does Debian automatically rotate SSH keys on a server?

No, it doesn't.

Please forgive my ignorance... I am running Debian Bookwork on a
Hostinger VPS.

I'm not familiar with this company, but in general, hosting providers
(VPS or otherwise) very often introduce changes of their own. So, it's conceivable that Hostinger may have added something that would cause
the SSH host keys to change.

The odd thing is, I use ed25519 keys. The server sent an ed25519 key,
but my SSH client complained about an ecdsa key. I did not take note
if ecdsa was used in the past despite having an ed25519 key.

If I had to guess...

$ ssh cryptopp.com @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is SHA256:OTLUNQZNIz4A1Cz9/fSEmvyfqxZaGT2xcFcF2yAcYIg.
Please contact your system administrator.
Add correct host key in /home/jwalton/.ssh/known_hosts to get rid of
this message.
Offending ECDSA key in /home/jwalton/.ssh/known_hosts:33

... I would guess that the host originally had only ECDSA and RSA
keys, and the ed25519 key was added later. Possibly upon a reboot,
because it's extremely common for systems to have scripts that
generate missing SSH host keys during boot.

If you login, you might look at the timestamps on the /etc/ssh/*_host_*
files, and see whether they were changed/created recently.

It's also possible that something malicious is occurring, but so far
you haven't provided enough evidence to prove that.

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026-04-10, Jeffrey Walton wrote:

$ ssh cryptopp.com @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is SHA256:OTLUNQZNIz4A1Cz9/fSEmvyfqxZaGT2xcFcF2yAcYIg.
Please contact your system administrator.
Add correct host key in /home/jwalton/.ssh/known_hosts to get rid of
this message.
Offending ECDSA key in /home/jwalton/.ssh/known_hosts:33
remove with:
ssh-keygen -f "/home/jwalton/.ssh/known_hosts" -R "cryptopp.com"
Host key for cryptopp.com has changed and you have requested strict checking. Host key verification failed.

openssh changed its preferred key from ECDSA to ED25519. It was some time
ago. But as Greg said each provider cooks their servers differently. So
it seems your server had an ECDSA and now has both or only
ED25519. Perhaps you should log on your server and check its keys in
/etc/ssh. You can also check the server config with:
sshd -T
If all is ok remove the old ECDSA key with ssh-keygen as shown.

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Hi,

On Fri, Apr 10, 2026 at 10:29:42PM -0400, Greg Wooledge wrote:

On Fri, Apr 10, 2026 at 20:37:02 -0400, Jeffrey Walton wrote:

$ ssh cryptopp.com @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is SHA256:OTLUNQZNIz4A1Cz9/fSEmvyfqxZaGT2xcFcF2yAcYIg.
Please contact your system administrator.
Add correct host key in /home/jwalton/.ssh/known_hosts to get rid of
this message.
Offending ECDSA key in /home/jwalton/.ssh/known_hosts:33

... I would guess that the host originally had only ECDSA and RSA
keys, and the ed25519 key was added later. Possibly upon a reboot,
because it's extremely common for systems to have scripts that
generate missing SSH host keys during boot.

I was thinking that, and I have had that sort of thing happen before,
but the practical effect of that happening is that you get the "unknown
host key" message, because it is literally a new host key type that you
have never seen before.

In this case, Jeffrey's host key has changed from some earlier time, and
I don't know how that would happen. Unless perhaps Jeffrey had an
earlier incarnation of this host, where he knew it by its ED25519 host
key, then he reinstalled it and (only) knew the new one by its ECDSA
host key, but then it (as part of a package upgrade or similar) decided
to offer a (new) ED25519 host key that now does not match the old one
that Jeffrey's clients still know.

Anyway, there is nothing in Debian that changes existing host keys.
While a hosting provider can do anything of course, messing with SSH
host keys always causes support burden so it is generally avoided.

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Jeffrey Walton schreef op 2026-04-11 02:17:

Hi Everyone,

Please forgive my ignorance... I am running Debian Bookwork on a
Hostinger VPS. I tried to SSH into the machine today, and the host
SSH key change warning snapped due to Strict Host Key Checking.

My question is, does Debian automatically rotate SSH keys on a server?

No. But if I had to guess: Cloud-init re-ran.

(I don't ever recall reading or seeing an automatic rotation of an SSH
host key. But I wanted to rule it out before I burn the web server to
the ground).

Thanks in advance.

Jeff

Met vriendelijke groeten,

William David Edwards

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Hi,

As others have already mentioned, Debian does not change the host keys by default.

The package "cloud-init" can regenerate SSH host keys on every reboot. I'm not sure whether cloud-init is installed on your system, but if it is, you can disable this behavior by creating a file such as /etc/cloud/cloud.cfg.d/01_sshkeys.cfg with the following content:

ssh_deletekeys: false

Best regards,
Klaus.
--
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D 1994-06-27

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

The odd thing is, I use ed25519 keys. The server sent an ed25519 key,
but my SSH client complained about an ecdsa key. I did not take note
if ecdsa was used in the past despite having an ed25519 key.

I'm wondering if this is CVE-2026-35387.

Christos Papakonstantinou discovered that OpenSSH incorrectly handled
parsing the PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms
options. This could result in unintended ECDSA algorithms being used,
contrary to expectations.

Jeff

On Fri, Apr 10, 2026 at 8:37?PM Jeffrey Walton <noloader@gmail.com>
wrote:

My bad, I should have posted the SSH warning, too. The same warning
was generated on a Fedora 43 machine (fully patched) and a Ubuntu
24.04.5 machine (fully patched, too).

The odd thing is, I use ed25519 keys. The server sent an ed25519 key,
but my SSH client complained about an ecdsa key. I did not take note
if ecdsa was used in the past despite having an ed25519 key.

Jeff

On Fri, Apr 10, 2026 at 8:17?PM Jeffrey Walton <noloader@gmail.co

wrote:

Hi Everyone,

Please forgive my ignorance... I am running Debian Bookwork on a
Hostinger VPS. I tried to SSH into the machine today, and the host
SSH key change warning snapped due to Strict Host Key Checking.

My question is, does Debian automatically rotate SSH keys on a server?

(I don't ever recall reading or seeing an automatic rotation of an SSH
host key. But I wanted to rule it out before I burn the web server to
the ground).

Thanks in advance.

$ ssh cryptopp.com @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack

)!

It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is SHA256:OTLUNQZNIz4A1Cz9/fSEmvyfqxZaGT2xcFcF2yAcYIg.
Please contact your system administrator.
Add correct host key in /home/jwalton/.ssh/known_hosts to get rid of
this message.
Offending ECDSA key in /home/jwalton/.ssh/known_hosts:33
remove with:
ssh-keygen -f "/home/jwalton/.ssh/known_hosts" -R "cryptopp.com"
Host key for cryptopp.com has changed and you have requested strict check

ing.

Host key verification failed.

--- PyGate Linux v1.5.14
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)