ssh host keys on cloned virtual machines

Stuart Henderson stu at spacehopper.org
Sat Feb 25 01:56:05 AEDT 2023


On 2023/02/24 13:25, Keine Eile wrote:
> The MAC is my weapon of choice, because no matter what virtualization
> you have, this will (in a sense, it hast to) change. Changing the
> hostname comes with the Ansible stuff, but this is already too late.

Regenerating host keys if the MAC changes is no good in the general
case. Firstly, *which* MAC, there can be more than one. Secondly,
if you legitimately replace a NIC/motherboard due to hardware failure
(or move disks between motherboards etc) you'll generate new keys
when you shouldn't.

This isn't unique to SSH; there are other files depending on the
software involved which might include /etc/machine-id, saved RNG seeds,
IPv6 SOII keys, which need removing when preparing to clone.



More information about the openssh-unix-dev mailing list