new ssh keys on first run

Initial Setup

sudo rm /etc/ssh/ssh_host_* && sudo dpkg-reconfigure openssh-server

Prior to your initial remote access it is recommended that you generate unique host public/private keys with the following command

You can execute these commands after having logged in remotely, and if executed while logged in from a remote client you will not be disconnected mid-session. However, after you generate unique you will need to clean up your client’s known_hosts.

This extra command (and subsequent follow up to update the cached public key on all clients who’ve already remotely connected to your Raspberry Pi) may seem like a hassle, but without doing this you leave yourself wide open to a man-in-the-middle attack because your “private” host ID keys are widely available to anyone who has downloaded the same SD card image as you.

Thanks for pointing this out. What about setting a script to launch at first volumio startup? Could you give a hint on that?
Or a procedure to clean the SSH key before publishing…

taken from 2014-01-07-wheezy-raspbian.img

unzip the attached to /etc/init.d/

sudo update-rc.d regenerate_ssh_host_keys defaults
sudo rm /etc/ssh/ssh_host_*

on first boot regenerate_ssh_host_keys should generate the ssh keys and get rid of itself (604 Bytes)