[Discuss] SSH and Server OS Migration

Matthew Gillen me at mattgillen.net
Wed Sep 8 19:58:15 EDT 2021 


On 9/8/2021 10:32 AM, jbk wrote:
> On 9/8/21 9:51 AM, Eric Chadbourne wrote:
>>
>> On 9/8/21 9:26 AM, jbk wrote:
>>> I am migrating my home file and backup server from SL 7 to Rocky 8 in
>>> a dual boot arrangement. It serves three or four other notebooks and
>>> workstation. The backup program (BackupPC) uses ssh on the client
>>> machines to call rsync and transmit the backup data.
>>> What I though I could do so that I didn't have to update the
>>> "knownhosts" file on all machines was to substitute the public and
>>> private keys on Rocky with those from SL 7 ( /etc/ssh). This did not
>>> work, as I get the error fingerprint does not match from other machine.
>>> I thought I had done this 10 years ago when I last upgraded the
>>> server. Since then SSH has changed the allowed key types (dsa to
>>> escda) for better encryption and I had to go through the process of
>>> updating the keys and knownhost files on all the machines.
>>> It is going to take me a while to get the backup server configured on
>>> Rocky so I will be continuing to use SL 7 during this process.
>>> Is it possible to substitute the keys on Rocky for those on SL 7?
>>>
>>
>>
>> I think you can either write a two line bash script to remove and add
>> the keys, or look at StrictHostKeyChecking.
>>
>> Eric
> These seem reasonable routes to pursue during the transition phase on
> one of the client machines. It's easy enough to create two knownhosts
> files and substituting one for the other during the testing phase. I
> will just have to update all the knownhosts files once the final
> transition is made.
> 
> Rocky does come with a nifty tool ( cockpit ) that was helpful during
> the initial set up, but it is tied to the original SSH keys and would be
> broken with my intended approach.

If you want to get fancy you could put the server key fingerprint in DNS
and set the default configuration on the client boxes to include
VerifyHostKeyDNS

It will then implicitly trust a host key that matches the DNS record.  e.g.
https://www.matoski.com/article/sshfp-dns-records/

Matt

More information about the Discuss mailing list