<![CDATA[To my #SSH folks:]]>To my folks:

Is there some documented process of moving SSH from one machine to another transparently?

I get that I can copy the server-keys from $OLDSERVER to $NEWSERVER, but my understanding is that SSH will still notice the IP address (they connect via name, and DNS will point to the new IP address) changing and still raise alarms.

Short of also migrating the IP address too (not an option here since they're owned by different orgs), is there a least-painful route?

The current/painful option is just "sorry, suckas, IP changed, host-key & its fingerprints changed, and all your automated SFTP tasks break until you accept the new host key" which I'm trying to avoid ☺

Thanks for any recommendations!

]]>https://board.circlewithadot.net/topic/cda5dea2-0384-4efa-b8e3-0dadb6e98124/to-my-ssh-folksRSS for NodeFri, 15 May 2026 05:50:49 GMTWed, 06 May 2026 21:41:44 GMT60<![CDATA[Reply to To my #SSH folks: on Thu, 07 May 2026 00:03:54 GMT]]>@mwl

/me turns to p151

Wonderful…I knew I'd read something relevant but didn't remember the right terms to search for it in the SSH Mastery PDF. Thanks!

]]>https://board.circlewithadot.net/post/https://mastodon.bsd.cafe/users/gumnos/statuses/116530363419027836https://board.circlewithadot.net/post/https://mastodon.bsd.cafe/users/gumnos/statuses/116530363419027836Thu, 07 May 2026 00:03:54 GMT<![CDATA[Reply to To my #SSH folks: on Wed, 06 May 2026 22:31:58 GMT]]>@gumnos @pertho from my experience "same DNS name and same key" will not generate complaints on an IP change, or at most will emit "hey, other things match, so I updated IP on record"

]]>https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/viq/statuses/116530001882714037https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/viq/statuses/116530001882714037Wed, 06 May 2026 22:31:58 GMT<![CDATA[Reply to To my #SSH folks: on Wed, 06 May 2026 22:22:08 GMT]]>@gumnos ssh certificates for the win. Just sign all your hosts ssh keys with it and you can have a single line in known_hosts to validate it. So even if you reinstall, so long as you sign the ssh server keys with that one key it all works.

You can also do the same for user ssh keys.

I've been using this system for about 2 years on my servers and it's great. I store the private key in a safe place of course.

]]>https://board.circlewithadot.net/post/https://mastodon.bsd.cafe/users/pertho/statuses/116529963246823458https://board.circlewithadot.net/post/https://mastodon.bsd.cafe/users/pertho/statuses/116529963246823458Wed, 06 May 2026 22:22:08 GMT<![CDATA[Reply to To my #SSH folks: on Wed, 06 May 2026 22:17:23 GMT]]>@gumnos tell clients to pre-stage the known-hosts change? Just an idea.

]]>https://board.circlewithadot.net/post/https://hachyderm.io/ap/users/115878478723365796/statuses/116529944558716597https://board.circlewithadot.net/post/https://hachyderm.io/ap/users/115878478723365796/statuses/116529944558716597Wed, 06 May 2026 22:17:23 GMT<![CDATA[Reply to To my #SSH folks: on Wed, 06 May 2026 22:04:22 GMT]]>@gumnos i would be surprised if that is possible, it would lead to risks

]]>https://board.circlewithadot.net/post/https://852360996.91268476.xyz/users/a/statuses/01KQZN43BTNKD3HCKM3393RDT5https://board.circlewithadot.net/post/https://852360996.91268476.xyz/users/a/statuses/01KQZN43BTNKD3HCKM3393RDT5Wed, 06 May 2026 22:04:22 GMT<![CDATA[Reply to To my #SSH folks: on Wed, 06 May 2026 21:53:03 GMT]]>@gumnos host keys in dns. Or certificates.

]]>https://board.circlewithadot.net/post/https://io.mwl.io/users/mwl/statuses/116529848881017285https://board.circlewithadot.net/post/https://io.mwl.io/users/mwl/statuses/116529848881017285Wed, 06 May 2026 21:53:03 GMT