ssh host keys on cloned virtual machines

Jan Schermer jan at schermer.cz
Sat Feb 25 00:09:31 AEDT 2023


Host key certificates are great, but it’s an even trickier thing to do than simply deleting the host key by a script… :-)


> On 24. 2. 2023, at 14:05, Rory Campbell-Lange <rory at campbell-lange.net> wrote:
> 
> On 24/02/23, Brian Candler (b.candler at pobox.com) wrote:
>> Are you doing any other first-boot initialization on the cloned VMs? Are you
>> (or could you) use cloud-init for this?
>> 
>> If so, you can run:
>> 
>>     cloud-init clean [--seed] [--logs] [--machine-id]
>> 
>> before cloning - or inside the cloned image using guestfish etc. I'm not
>> sure if this actually removes the existing host keys, but if it doesn't, you
>> could manually rm them as well.
> 
> This situation is beyond my experience, but I guess another way around would be
> to try and block the golden image host key for users and use a host certificate
> on the golden image host.
> 
> The golden image host could have its host certificate rotated every month,
> perhaps, although that might mean you'd have to rotate the certificates on all
> your other hosts too, depending on the expiry parameters on your certificates.
> 
> This would require setting up a ssh certificate signing process which might not
> be something you'd like to do. Also, all users would have to add a
> "@cert-authority" line to their ~/.ssh/known_hosts.
> 
> Rory
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://www.google.com/url?q=https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev&source=gmail-imap&ust=1677848781000000&usg=AOvVaw1sTcGhtCjOjnkNh1H9TZOx



More information about the openssh-unix-dev mailing list