Reusing ssh keys on a new installation, was Re: OpenSSH: cause of random kex_exchange_identification errors?
On Wed 02 Feb 2022 at 14:28:40 (-0500), Greg Wooledge wrote:
> On Wed, Feb 02, 2022 at 02:21:08PM -0500, gene heskett wrote:
> > When I change something, like rebooting the rpi4 running my big Sheldon
> > lathe, from debian buster to debian bullseye, the keyfile changes, and I
> > get an explicit error telling me to run ssh-keygen to remove the
> > offending key, which I do, [...]
>
> What *I* would do is copy the host key files from the buster instance
> (the one that your client recognizes as valid) into the bullseye
> instance. That way, the client will recognize *both* server instances
> as the same host.
>
> The host keys are in the /etc/ssh/ directory in Debian. There are
> several files, and they all begin with ssh_host. Just copy them over
> and make sure the permissions are retained. (The ones without .pub on
> the end are meant to be private, so they have tighter permissions.)
>
> If you're not running Debian, but instead are running some perverse
> derivative that changes everything but still calls its releases "buster"
> and "bullseye" in order to maximize confusion, then your host keys might
> be in some other directory.
I do similar, after checking that the keys look as if they were
generated by the same scheme. I do this just after Grub has been
installed on the disk, ie at "Finish the installation". In a shell
on VC2, or another remote ssh connection, I type:
# mount /dev/<previous-Debian-partition> /mnt
# cp -ipr /mnt/etc/ssh/s*[by] /target/etc/ssh/
# cp -ipr /mnt/root/.ssh (and most of root's dotfiles) /target/root/
The reason I do this in the d-i is because I typically install
over a ssh connection, and when the machine reboots at the end
and I want to login remotely to finish the configuration, I can
just type (from local's root):
# ssh -X hostname
and I'm in.
To summarise, the upshot is that to install a new system, I visit
the machine to plug in a USB installer stick, boot up from it using
the one-time-boot option, and run these commands:
│ Choose language │
│ Configure the keyboard │
│ Detect and mount CD-ROM │
│ Load installer components from CD │
→ network-console: Continue installation remotely using SSH ←
│ Detect network hardware │
│ Configure the network │
│ Continue installation remotely using SSH │
set a password (I use the hostname)
and return to my comfortable chair. I never /have to/ revisit
the target machine again.¹
One other trick: I run the remote installer with:
$ ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null installer@hostname
which avoids polluting my ~/.ssh/known_hosts with the ephemeral
host key being used by the installer.
¹ unless I want my stick back. (Desktop machines are configured
with magic-packet wake-up in the BIOS.)
Cheers,
David.
Reply to: