ssh host keys on cloned virtual machines
jan at schermer.cz
Fri Feb 24 23:11:02 AEDT 2023
One solution I used was simply scripting the deletion of the host key after cloning it.
Another solution is to delete them in the golden image you create (which could be a different scenario from cloning whatever machine you need)
Both approaches worked well enough except when they didn’t.
It would be great to be able to specify path to hostkey including some sort of $hostname variable, so it would be regenerated if hostname changes, but that is probably better solved in a startup script. Maybe modifying it to create a symlink from the hostkey to a filename including hostname? I wonder how fragile that would be and if something like that already exists. Not sure if MAC or hostname are the right distinguishing parameters, though, maybe something like dmidecode UUID?
> On 24. 2. 2023, at 12:58, Keine Eile <keine-eile at e-mail.de> wrote:
> Hi list members,
> does any one of you have a best practice on renewing ssh host keys on cloned machines?
> I have a customer who never thought about that, while cloning all VMs from one template. Now all machines have the exact same host key.
> My approach would be to store a machines MAC address(es). Then when starting the sshd.service, check if this MAC has changed. If so, remove all host keys, let sshd create new ones.
> Thanks for any thoughts and comments about that.
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
More information about the openssh-unix-dev