ssh host keys on cloned virtual machines
Stuart Henderson
stu at spacehopper.org
Sat Feb 25 01:56:05 AEDT 2023
On 2023/02/24 13:25, Keine Eile wrote:
> The MAC is my weapon of choice, because no matter what virtualization
> you have, this will (in a sense, it hast to) change. Changing the
> hostname comes with the Ansible stuff, but this is already too late.
Regenerating host keys if the MAC changes is no good in the general
case. Firstly, *which* MAC, there can be more than one. Secondly,
if you legitimately replace a NIC/motherboard due to hardware failure
(or move disks between motherboards etc) you'll generate new keys
when you shouldn't.
This isn't unique to SSH; there are other files depending on the
software involved which might include /etc/machine-id, saved RNG seeds,
IPv6 SOII keys, which need removing when preparing to clone.
More information about the openssh-unix-dev
mailing list