ssh host keys on cloned virtual machines

Jochen Bern Jochen.Bern at binect.de
Sat Feb 25 02:01:23 AEDT 2023


On 24.02.23 12:58, Keine Eile wrote:
> does any one of you have a best practice on renewing ssh host keys on 
> cloned machines?
> I have a customer who never thought about that, while cloning all VMs 
> from one template. Now all machines have the exact same host key.
> My approach would be to store a machines MAC address(es). Then when 
> starting the sshd.service, check if this MAC has changed. If so, remove 
> all host keys, let sshd create new ones.

Strictly speaking, *if* you have an interest to make sure that *every* 
VM gets unique host keypairs, then you should implement a cleanup 
routine that takes care of "everything"¹ that matters to you.

Once you have *that*, the decision whether to trigger it as the last 
step on the template before making a new image, or as the first step on 
a VM created "to stay" from the template, and by what means and 
mechanisms, becomes somewhat secondary.²

I'd be wary of having it triggered automatically whenever the MAC or 
some other "hardware ID" changes, though, as that can happen when you 
move VMs between hypervisors, add or remove virtual devices, etc..

¹ Erase host keypairs, erase keypairs of local users (so that access to 
elsewhere doesn't get copied along), generate individual moduli, erase 
shell histories, remove local non-system users' crontabs, empty the mail 
spools of same, empty system and application logfiles, hunt for 
passwords set in whatever config files, rename LVM VGs so as to have 
names as unique as the VM itself, .......

² Personally, I like to add color coding to shell prompts to signal 
platform, test vs. prod etc.. Blinking black-on-yellow works quite well 
as a reminder that a VM freshly created from a template might still need 
some finalizing touches. ;-)

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230224/e7616c75/attachment-0001.p7s>


More information about the openssh-unix-dev mailing list