Move servers public/private keys to a new host

Jim Knoble jmknoble at
Wed Jan 24 09:33:35 EST 2007

Circa 2007-01-22 22:22 dixit petesea at

: Is it possible to move a server's public and private keys from one host to 
: another?  Or perhaps a better way to ask what I really want... is it 
: possible to configure a server on a new host to return the same public key 
: it did on the old host?
: I'm in the process of migrating our CVS server from a Solaris host to a 
: Linux host (this weekend) and I just realized the hostkey is going to 
: change.
: I tried copying the old host's pub/priv keys to the new host, but when I 
: start sshd on the new host (using -ddd) I get:
:     debug3: Not a RSA1 key file /usr/local/etc/ssh/old_ssh_host_rsa_key
:     debug1: PEM_read_PrivateKey failed
:     debug1: read PEM private key done: type <unknown>
:     Could not load host key: /usr/local/etc/ssh/old_ssh_host_rsa_key

Apparently sshd on the Linux host is unable to read the key in
.../old_ssh_host_rsa_key.  What SSH server were you using on the Solaris
host?  Does old_ssh_host_rsa_key have the proper BEGIN and END lines
around it?  For example:

    # head -1 /etc/ssh/ssh_host_rsa_key
    # tail -1 /etc/ssh/ssh_host_rsa_key
    -----END RSA PRIVATE KEY-----

Is openssl able to read the key?  For example:

    # openssl rsa -text -noout -in /etc/ssh/ssh_host_rsa_key |head -1
    Private-Key: (2048 bit)

How did you copy the key from the Solaris machine to the Linux machine?
Is it possible the key got corrupted or truncated in transit?

: The biggest problem is with all our Windows users.  Since they only use 
: SSH (really plink) for CVS access, the CVS command fails if plink detects 
: the hostkey has changed.  This is really because the cvs command will fail 
: if it gets ANY response it doesn't understand.
: Many (most) of our Windows users use various GUI CVS clients that often 
: hide any output plink might display, but even if they DO happen to see any 
: output, 99% wouldn't know what to do based on the error.
: I'm trying to avoid a barrage of tech support calls the day after the 
: server changes.
: _______________________________________________
: openssh-unix-dev mailing list
: openssh-unix-dev at

jim knoble  |  jmknoble at  |
(GnuPG key ID: 6F39C2CC  >>>>>> )
(GnuPG fingerprint: 5024:D578:7CF4:5660:7269::F6F3:B919:9307:6F39:C2CC)
|[L]iberty, as we all know, cannot flourish in a country that is perma-|
| nently on a war footing, or even a near-war footing.  --Aldous Huxley|

More information about the openssh-unix-dev mailing list