Why would ssh keys change on a pfSense power cycle?

MakOwner · Jan 14, 2017, 11:44 PM

I just set up a virtual pfSense instance a few days ago.

I took down my ESXi server to add in a quad port Intel NIC.
pfSense at power up reported missing SSH keys and generated new ones.
At the same time the VMWare console failed to connect reporting invalid SSL.

I found a VMWare KB article that stated doing a power off and restart would regenerate the keys, which did resolve the issue.
I answered and cleared the alerts on pfSense.

My question is what would cause this chain of events that appear to have been initiated by the powercycle/hardware add on the ESXi server?
Is this normal?
Should I be concerned? This is the first time I have had an ESXi interface connected directly to the internet, and I'm still somewhat concerned this set up may not be as secure as a physical pfSense configuration.

behemyth · Jan 18, 2017, 1:41 AM

As long as you set up the vswitch so that only the pfsense box has a LAN port on it, and its running to a dedicated esxi NIC your fine.

That's not as uncommon as you think. I run into that all the time when I work on networking chassis or firewalls, anytime I change out a line card or module it regenerates the ssh keys when it restarts.