[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Reusing ssh keys on a new installation, was Re: OpenSSH: cause of random kex_exchange_identification errors?

On Wed 02 Feb 2022 at 14:28:40 (-0500), Greg Wooledge wrote:
> On Wed, Feb 02, 2022 at 02:21:08PM -0500, gene heskett wrote:
> > When I change something, like rebooting the rpi4 running my big Sheldon 
> > lathe, from debian buster to debian bullseye, the keyfile changes, and I 
> > get an explicit error telling me to run ssh-keygen to remove the 
> > offending key, which I do, [...]
> 
> What *I* would do is copy the host key files from the buster instance
> (the one that your client recognizes as valid) into the bullseye
> instance.  That way, the client will recognize *both* server instances
> as the same host.
> 
> The host keys are in the /etc/ssh/ directory in Debian.  There are
> several files, and they all begin with ssh_host.  Just copy them over
> and make sure the permissions are retained.  (The ones without .pub on
> the end are meant to be private, so they have tighter permissions.)
> 
> If you're not running Debian, but instead are running some perverse
> derivative that changes everything but still calls its releases "buster"
> and "bullseye" in order to maximize confusion, then your host keys might
> be in some other directory.

I do similar, after checking that the keys look as if they were
generated by the same scheme. I do this just after Grub has been
installed on the disk, ie at "Finish the installation". In a shell
on VC2, or another remote ssh connection, I type:

# mount /dev/<previous-Debian-partition> /mnt
# cp -ipr /mnt/etc/ssh/s*[by] /target/etc/ssh/
# cp -ipr /mnt/root/.ssh (and most of root's dotfiles) /target/root/

The reason I do this in the d-i is because I typically install
over a ssh connection, and when the machine reboots at the end
and I want to login remotely to finish the configuration, I can
just type (from local's root):

# ssh -X hostname

and I'm in.

To summarise, the upshot is that to install a new system, I visit
the machine to plug in a USB installer stick, boot up from it using
the one-time-boot option, and run these commands:

 │  Choose language                             │
 │  Configure the keyboard                      │
 │  Detect and mount CD-ROM                     │
 │  Load installer components from CD           │
    → network-console: Continue installation remotely using SSH ←
 │  Detect network hardware                     │
 │  Configure the network                       │
 │  Continue installation remotely using SSH    │
      set a password (I use the hostname)

and return to my comfortable chair. I never /have to/ revisit
the target machine again.¹

One other trick: I run the remote installer with:

$ ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null installer@hostname

which avoids polluting my ~/.ssh/known_hosts with the ephemeral
host key being used by the installer.

¹ unless I want my stick back. (Desktop machines are configured
  with magic-packet wake-up in the BIOS.)

Cheers,
David.
Reply to: