To my #SSH folks:
-
To my #SSH folks:
Is there some documented process of moving SSH from one machine to another transparently?
I get that I can copy the server-keys from $OLDSERVER to $NEWSERVER, but my understanding is that SSH will still notice the IP address (they connect via name, and DNS will point to the new IP address) changing and still raise alarms.
Short of also migrating the IP address too (not an option here since they're owned by different orgs), is there a least-painful route?
The current/painful option is just "sorry, suckas, IP changed, host-key & its fingerprints changed, and all your automated SFTP tasks break until you accept the new host key" which I'm trying to avoid
Thanks for any recommendations!
-
To my #SSH folks:
Is there some documented process of moving SSH from one machine to another transparently?
I get that I can copy the server-keys from $OLDSERVER to $NEWSERVER, but my understanding is that SSH will still notice the IP address (they connect via name, and DNS will point to the new IP address) changing and still raise alarms.
Short of also migrating the IP address too (not an option here since they're owned by different orgs), is there a least-painful route?
The current/painful option is just "sorry, suckas, IP changed, host-key & its fingerprints changed, and all your automated SFTP tasks break until you accept the new host key" which I'm trying to avoid
Thanks for any recommendations!
@gumnos host keys in dns. Or certificates.
-
To my #SSH folks:
Is there some documented process of moving SSH from one machine to another transparently?
I get that I can copy the server-keys from $OLDSERVER to $NEWSERVER, but my understanding is that SSH will still notice the IP address (they connect via name, and DNS will point to the new IP address) changing and still raise alarms.
Short of also migrating the IP address too (not an option here since they're owned by different orgs), is there a least-painful route?
The current/painful option is just "sorry, suckas, IP changed, host-key & its fingerprints changed, and all your automated SFTP tasks break until you accept the new host key" which I'm trying to avoid
Thanks for any recommendations!
@gumnos i would be surprised if that is possible, it would lead to risks
-
To my #SSH folks:
Is there some documented process of moving SSH from one machine to another transparently?
I get that I can copy the server-keys from $OLDSERVER to $NEWSERVER, but my understanding is that SSH will still notice the IP address (they connect via name, and DNS will point to the new IP address) changing and still raise alarms.
Short of also migrating the IP address too (not an option here since they're owned by different orgs), is there a least-painful route?
The current/painful option is just "sorry, suckas, IP changed, host-key & its fingerprints changed, and all your automated SFTP tasks break until you accept the new host key" which I'm trying to avoid
Thanks for any recommendations!
@gumnos tell clients to pre-stage the known-hosts change? Just an idea.
-
To my #SSH folks:
Is there some documented process of moving SSH from one machine to another transparently?
I get that I can copy the server-keys from $OLDSERVER to $NEWSERVER, but my understanding is that SSH will still notice the IP address (they connect via name, and DNS will point to the new IP address) changing and still raise alarms.
Short of also migrating the IP address too (not an option here since they're owned by different orgs), is there a least-painful route?
The current/painful option is just "sorry, suckas, IP changed, host-key & its fingerprints changed, and all your automated SFTP tasks break until you accept the new host key" which I'm trying to avoid
Thanks for any recommendations!
@gumnos ssh certificates for the win. Just sign all your hosts ssh keys with it and you can have a single line in known_hosts to validate it. So even if you reinstall, so long as you sign the ssh server keys with that one key it all works.
You can also do the same for user ssh keys.
I've been using this system for about 2 years on my servers and it's great. I store the private key in a safe place of course.
-
To my #SSH folks:
Is there some documented process of moving SSH from one machine to another transparently?
I get that I can copy the server-keys from $OLDSERVER to $NEWSERVER, but my understanding is that SSH will still notice the IP address (they connect via name, and DNS will point to the new IP address) changing and still raise alarms.
Short of also migrating the IP address too (not an option here since they're owned by different orgs), is there a least-painful route?
The current/painful option is just "sorry, suckas, IP changed, host-key & its fingerprints changed, and all your automated SFTP tasks break until you accept the new host key" which I'm trying to avoid
Thanks for any recommendations!
-
@gumnos host keys in dns. Or certificates.
/me turns to p151
Wonderful…I knew I'd read something relevant but didn't remember the right terms to search for it in the SSH Mastery PDF. Thanks!
-
S stefano@mastodon.bsd.cafe shared this topic
