[Infrastructures] Distributing private key information at install time
Daniel Hagerty
Daniel Hagerty <hag@linnaean.org>
Mon, 2 Oct 2006 14:20:00 -0400
> Whenever I reinstall a machine, I set up secure shell on the box,
> and every time it will run ssh-keygen to make host keys. And then
> SSH gets all annoyed at me because the host key has changed and I
> have to remove it from known_hosts to assure SSH that it's allright
> really. Not just me, actually. Everybody has to do that for each
> name under which they ever accessed the box. So what you really
> need is a way to restore the original host keys, so that all the
> ssh clients will have the correct information already.
Well, there's a different problem that you have some chance of
running into: what do you do if you're regenerating a key because a
machine was compromised? You really do want to burn the old key at
that point.
You want to centralize the ssh_known_hosts file for your site to
the /etc version. Ssh provides some tools for doing this, although
what they give you isn't quite a 100% solution. Take a look at
ssh-keyscan.