ssh host keys on cloned virtual machines
jan at schermer.cz
Fri Feb 24 23:35:56 AEDT 2023
> On 24. 2. 2023, at 13:25, Keine Eile <keine-eile at e-mail.de> wrote:
> Am 24.02.23 um 13:11 schrieb Jan Schermer:
>> One solution I used was simply scripting the deletion of the host key after cloning it.
>> Another solution is to delete them in the golden image you create (which could be a different scenario from cloning whatever machine you need)
> The golden image can not have a hard wired magic which generates new host keys, as it is maintained from time to time using ssh.
Right, that is what I did - stuff like apt update/upgrade or yum upgrade, pushing new versions of other stuff and then right before shutdown and turning it back into golden image I deleted the hostkeys, dhcp leases, logs and other state files.
>> Both approaches worked well enough except when they didn’t.
> I think, I have seen this, too.
>> It would be great to be able to specify path to hostkey including some sort of $hostname variable, so it would be regenerated if hostname changes, but that is probably better solved in a startup script. Maybe modifying it to create a symlink from the hostkey to a filename including hostname? I wonder how fragile that would be and if something like that already exists. Not sure if MAC or hostname are the right distinguishing parameters, though, maybe something like dmidecode UUID?
> The MAC is my weapon of choice, because no matter what virtualization you have, this will (in a sense, it hast to) change. Changing the hostname comes with the Ansible stuff, but this is already too late.
Hmm, I usually get hostnames from DHCP/cloud-init etc. This is where this magic should happen in theory. I guess looking for cloud-init hooks could turn up something that already exists?
> Thanks Jan.
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
More information about the openssh-unix-dev