On Fri, 24 Feb 2023, Keine Eile wrote: > does any one of you have a best practice on renewing ssh host keys on cloned > machines? Yes: not cloning machines. There’s too many things to take care of for these. The VM UUID in libvirt. The systemd machine ID. SSH hostkey and SSL private key. The RNG seed. The various places where the hostname is written to during software installation. The inode generation IDs, depending on the filesystem. Other things that are created depending on the machine and OS… such as the Debian popcon host ID, even. The effort to clean/regenerate these and possibly more, which, in addition, often needs new per-machine random bytes introduced, is more than just installing fresh machines all the time, especially if you script that (in which I personally even consider moving a‐ way from d-i with preseed and towards debootstrap with (scripted) manual pre‑ (partitioning, mkfs, …) and post-steps). This is even more true as every new machine tends to get just the little bit of difference from the old ones that is easier to make when not cloning (such as different filesystem layout, software). I know, this is not the answer you want to hear, but it’s the one that works reliably, without investing too much while still being not 100% sure you caught everything. (Fun fact on the side, while doing admin stuff at $dayjob, I even didn’t automate VM creation as clicking through d-i those times I was installing some took less time in summary than creating auto‐ mation for it would’ve. I used xlax (like clusterssh, but for any X11 window) for starting installation, then d-i network-console + cssh for the remainder; a private APT repository with config pak‐ kages, to install dependencies and configure some things, rounded it off.) bye, //mirabilos -- Infrastrukturexperte • tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/ Telephon +49 228 54881-393 • Fax: +49 228 54881-235 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg **************************************************** /⁀\ The UTF-8 Ribbon ╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen: ╳ HTML eMail! Also, https://www.tarent.de/newsletter ╱ ╲ header encryption! **************************************************** _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
