Moving private SSH keys to new machine?
This is a discussion on Moving private SSH keys to new machine? within the Linux Security forums, part of the System Security and Security Related category; Can private SSH keys be moved to a different computer? John Reese john_reese@fin-rec.com...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-08-2005
|
|||
|
|||
Moving private SSH keys to new machine?
|
|
03-08-2005
|
|||
|
|||
|
Re: Moving private SSH keys to new machine?
> Can private SSH keys be moved to a different computer?
Assuming you're using OpenSSH, yes. Just copy the appropriate files over (ssh_host* under etc/ssh) -- Jem Berkes Software design for Windows and Linux/Unix-like systems http://www.sysdesign.ca/
|
|
03-08-2005
|
|||
|
|||
|
Re: Moving private SSH keys to new machine?
I realize now that my message was pretty vague. Apologies.
We are bringing a new production server on-line. There are hundreds of SSH clients with a public key to the old machine; our goal is to move the keys from the old server to the new one in a manner that is acceptable to the holders of the public keys. I have tried the crude method -- I have moved *all* the old keys to the new server with the same IP as the old server -- but the clients still are refusing to log on, generating a man-in-the-middle warning. Any idea how we can get past this? John Reese On Tue, 08 Mar 2005 16:07:29 +0000, Jem Berkes wrote: >> Can private SSH keys be moved to a different computer? > > Assuming you're using OpenSSH, yes. Just copy the appropriate files over > (ssh_host* under etc/ssh)
|
|
03-08-2005
|
|||
|
|||
|
Re: Moving private SSH keys to new machine?
John Reese wrote:
> I realize now that my message was pretty vague. Apologies. > > We are bringing a new production server on-line. There are hundreds of SSH > clients with a public key to the old machine; our goal is to move the keys > from the old server to the new one in a manner that is acceptable to the > holders of the public keys. > > I have tried the crude method -- I have moved *all* the old keys to the > new server with the same IP as the old server -- but the clients still are > refusing to log on, generating a man-in-the-middle warning. > > Any idea how we can get past this? > > John Reese > > On Tue, 08 Mar 2005 16:07:29 +0000, Jem Berkes wrote: > > >>>Can private SSH keys be moved to a different computer? >> >>Assuming you're using OpenSSH, yes. Just copy the appropriate files over >>(ssh_host* under etc/ssh) > > Would it be possible to assign the old server's IP to the new server? I'm assuming it's the change in IP that's triggering the 'Man in the Middle' warining. Me.
|
|
03-08-2005
|
|||
|
|||
|
Re: Moving private SSH keys to new machine?
me wrote:
> John Reese wrote: > >> I realize now that my message was pretty vague. Apologies. >> >> We are bringing a new production server on-line. There are hundreds of >> SSH >> clients with a public key to the old machine; our goal is to move the >> keys >> from the old server to the new one in a manner that is acceptable to the >> holders of the public keys. >> >> I have tried the crude method -- I have moved *all* the old keys to the >> new server with the same IP as the old server -- but the clients still >> are >> refusing to log on, generating a man-in-the-middle warning. >> >> Any idea how we can get past this? >> >> John Reese >> >> On Tue, 08 Mar 2005 16:07:29 +0000, Jem Berkes wrote: >> >> >>>> Can private SSH keys be moved to a different computer? >>> >>> >>> Assuming you're using OpenSSH, yes. Just copy the appropriate files >>> over (ssh_host* under etc/ssh) This may not be acceptable but all the clients need to do is remove the old entry from the know_hosts or know_hosts2 file. I know this is probably not the way you want to solve the problem.
|
|
03-08-2005
|
|||
|
|||
|
Re: Moving private SSH keys to new machine?
Thanks for your response. The new server's IP address was the same as the
old machine, so IP alone won't validate the key. I'm guessing that the key generator incorporates a section from the MAC address, which of course is different on the two machines. Any ideas? On Tue, 08 Mar 2005 13:16:55 -0500, me wrote: > John Reese wrote: >> I realize now that my message was pretty vague. Apologies. >> >> We are bringing a new production server on-line. There are hundreds of SSH >> clients with a public key to the old machine; our goal is to move the keys >> from the old server to the new one in a manner that is acceptable to the >> holders of the public keys. >> >> I have tried the crude method -- I have moved *all* the old keys to the >> new server with the same IP as the old server -- but the clients still are >> refusing to log on, generating a man-in-the-middle warning. >> >> Any idea how we can get past this? >> >> John Reese >> >> On Tue, 08 Mar 2005 16:07:29 +0000, Jem Berkes wrote: >> >> >>>>Can private SSH keys be moved to a different computer? >>> >>>Assuming you're using OpenSSH, yes. Just copy the appropriate files over >>>(ssh_host* under etc/ssh) >> >> > > > Would it be possible to assign the old server's IP to the new server? > I'm assuming it's the change in IP that's triggering the 'Man in the > Middle' warining. > > Me.
|
|
03-08-2005
|
|||
|
|||
|
Re: Moving private SSH keys to new machine?
Yes, this would be my first choice, too, but we have too many clients at
too many remote locations. If there is any way to change one machine rather than hundreds, that would be the way to go, even if it were technically more difficult. Any thoughts? JR On Tue, 08 Mar 2005 19:37:19 +0000, Barton L. Phillips wrote: > me wrote: >> John Reese wrote: >> >>> I realize now that my message was pretty vague. Apologies. >>> >>> We are bringing a new production server on-line. There are hundreds of >>> SSH >>> clients with a public key to the old machine; our goal is to move the >>> keys >>> from the old server to the new one in a manner that is acceptable to the >>> holders of the public keys. >>> >>> I have tried the crude method -- I have moved *all* the old keys to the >>> new server with the same IP as the old server -- but the clients still >>> are >>> refusing to log on, generating a man-in-the-middle warning. >>> >>> Any idea how we can get past this? >>> >>> John Reese >>> >>> On Tue, 08 Mar 2005 16:07:29 +0000, Jem Berkes wrote: >>> >>> >>>>> Can private SSH keys be moved to a different computer? >>>> >>>> >>>> Assuming you're using OpenSSH, yes. Just copy the appropriate files >>>> over (ssh_host* under etc/ssh) > This may not be acceptable but all the clients need to do is remove the > old entry from the know_hosts or know_hosts2 file. I know this is > probably not the way you want to solve the problem.
|
|
03-08-2005
|
|||
|
|||
|
Re: Moving private SSH keys to new machine?
John Reese wrote:
> Thanks for your response. The new server's IP address was the same as the > old machine, so IP alone won't validate the key. I'm guessing that the key > generator incorporates a section from the MAC address, which of course is > different on the two machines. Any ideas? > > On Tue, 08 Mar 2005 13:16:55 -0500, me wrote: > > >>John Reese wrote: >> >>>I realize now that my message was pretty vague. Apologies. >>> >>>We are bringing a new production server on-line. There are hundreds of SSH >>>clients with a public key to the old machine; our goal is to move the keys >>>from the old server to the new one in a manner that is acceptable to the >>>holders of the public keys. >>> >>>I have tried the crude method -- I have moved *all* the old keys to the >>>new server with the same IP as the old server -- but the clients still are >>>refusing to log on, generating a man-in-the-middle warning. >>> >>>Any idea how we can get past this? >>> >>>John Reese >>> >>>On Tue, 08 Mar 2005 16:07:29 +0000, Jem Berkes wrote: >>> >>> >>> >>>>>Can private SSH keys be moved to a different computer? >>>> >>>>Assuming you're using OpenSSH, yes. Just copy the appropriate files over >>>>(ssh_host* under etc/ssh) >>> >>> >> >>Would it be possible to assign the old server's IP to the new server? >>I'm assuming it's the change in IP that's triggering the 'Man in the >>Middle' warining. >> >>Me. > > Mmmmmm, you've probably got onboard ethernet on both machines too, otherwise you'd have just swapped cards. I know you can clone MACs with wireless cards, I wonder if you can do that with standard ethernet cards.....? Sorry, the only thing I can think of right now. Me.
|
|
03-08-2005
|
|||
|
|||
|
Re: Moving private SSH keys to new machine?
John Reese <john_reese@fin-rec.com> wrote:
> Can private SSH keys be moved to a different computer? Could you tell us the recipe(s) you used w/o success? Thx. -- PLEASE post a SUMMARY of the answer(s) to your question(s)! Show Windows & Gates to the exit door. Unless otherwise noted, the statements herein reflect my personal opinions and not those of any organization with which I may be affiliated.
|
|
03-08-2005
|
|||
|
|||
|
Re: Moving private SSH keys to new machine?
I have tried the crude method -- I have moved *all* the old keys to the
new server. (BTW, the new server has the same IP as the old server.) The clients still are refusing to log on, generating a man-in-the-middle warning. Any idea how we can get past this? On Tue, 08 Mar 2005 21:45:23 +0000, Kevin wrote: > John Reese <john_reese@fin-rec.com> wrote: >> Can private SSH keys be moved to a different computer? > > Could you tell us the recipe(s) you used w/o success? > > Thx.
|
Linear Mode
