Re: ssh host keys on cloned virtual machines

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


On Fri, 24 Feb 2023, Keine Eile wrote:

> does any one of you have a best practice on renewing ssh host keys on cloned
> machines?

Yes: not cloning machines.

There’s too many things to take care of for these. The VM UUID in
libvirt. The systemd machine ID. SSH hostkey and SSL private key.
The RNG seed. The various places where the hostname is written to
during software installation. The inode generation IDs, depending
on the filesystem. Other things that are created depending on the
machine and OS… such as the Debian popcon host ID, even.

The effort to clean/regenerate these and possibly more, which, in
addition, often needs new per-machine random bytes introduced, is
more than just installing fresh machines all the time, especially
if you script that (in which I personally even consider moving a‐
way from d-i with preseed and towards debootstrap with (scripted)
manual pre‑ (partitioning, mkfs, …) and post-steps).

This is even more true as every new machine tends to get just the
little bit of difference from the old ones that is easier to make
when not cloning (such as different filesystem layout, software).

I know, this is not the answer you want to hear, but it’s the one
that works reliably, without investing too much while still being
not 100% sure you caught everything.

(Fun fact on the side, while doing admin stuff at $dayjob, I even
didn’t automate VM creation as clicking through d-i those times I
was installing some took less time in summary than creating auto‐
mation for it would’ve. I used xlax (like clusterssh, but for any
X11 window) for starting installation, then d-i network-console +
cssh for the remainder; a private APT repository with config pak‐
kages, to install dependencies and configure some things, rounded
it off.)

Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn •
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

/⁀\ The UTF-8 Ribbon
╲ ╱ Campaign against      Mit dem tarent-Newsletter nichts mehr verpassen:
 ╳  HTML eMail! Also,
╱ ╲ header encryption!
openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux