The below reference to Google documentation is no longer true.
Google recommends removing SSH keys from GCE instance to secure SSH. That does not make any sense to me. The keys are there for a security, right? When I remove the keys, SSHD stops working. I probably miss their point. Can someone explain what do the mean by this:
Remove ssh host keys
Don't use ssh host keys with your instance. Remove them as follows:
rm /etc/ssh/ssh_host_key rm /etc/ssh/ssh_host_rsa_key* rm /etc/ssh/ssh_host_dsa_key* rm /etc/ssh/ssh_host_ecdsa_key*
The only possible reason I can think of is that they want to force you to regenerate new keys.
As these keys were generated before you had access they may not be trusted.
Removing them and restarting
sshdwill regenerate the keys for you.However the document doesn't really make that clear.
This is pure speculation and it would be better to contact them and get clarification on this.
The critical detail is that the page you've referenced is about creating a new Compute Engine machine image. Specifically, when you create a new virtual machine image, you want to ensure it does NOT include any host keys. That way, when the image is cloned and reconstituted into an actual VM, the sshd startup script will recognize that there are no host keys, and automatically generate new ones. This is desirable because having multiple machines using the same host key is a very bad idea.
So, in the general case, please do not go deleting your host keys, but if you are creating a new image, it's an important step in order to ensure there's a one-to-one relationship between host keys and machines.