Re: ssh host keys on cloned virtual machines

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



One solution I used was simply scripting the deletion of the host key after cloning it.
Another solution is to delete them in the golden image you create (which could be a different scenario from cloning whatever machine you need)
Both approaches worked well enough except when they didn’t.

It would be great to be able to specify path to hostkey including some sort of $hostname variable, so it would be regenerated if hostname changes, but that is probably better solved in a startup script. Maybe modifying it to create a symlink from the hostkey to a filename including hostname? I wonder how fragile that would be and if something like that already exists. Not sure if MAC or hostname are the right distinguishing parameters, though, maybe something like dmidecode UUID?

Jan


> On 24. 2. 2023, at 12:58, Keine Eile <keine-eile@xxxxxxxxx> wrote:
> 
> Hi list members,
> 
> does any one of you have a best practice on renewing ssh host keys on cloned machines?
> I have a customer who never thought about that, while cloning all VMs from one template. Now all machines have the exact same host key.
> My approach would be to store a machines MAC address(es). Then when starting the sshd.service, check if this MAC has changed. If so, remove all host keys, let sshd create new ones.
> 
> Thanks for any thoughts and comments about that.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://www.google.com/url?q=https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev&source=gmail-imap&ust=1677844875000000&usg=AOvVaw1wDCGYuQ4a5KUjpWj0GLtO

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux