[CentOS-virt] server host keys for kvm clones

Wed Jan 4 20:14:28 UTC 2012
Ed Heron <Ed at Heron-ent.com>

On Wed, 2012-01-04 at 20:31 +0100, Thomas Göttgens wrote:
> Hi James,
> 
> depending on your use case:
> 
> if you source is a template VM: just delete the keys prior to cloning
> in the source VM
> 
> if you source is a production VM: just delete the keys after cloning
> on the newly cloned VM
> 
> The keys will be regenerated on next startup of openssh if they're
> missing.
> 
> am Mittwoch, 4. Januar 2012 um 20:08 schrieben Sie:
> 
> > Respecting cloning vm guests, I see in /etc/ssh the
> > following:
> 
> > ssh_host_dsa_key
> > ssh_host_dsa_key.pub
> > ssh_host_key
> > ssh_host_key.pub
> > ssh_host_rsa_key
> > ssh_host_rsa_key.pub
> 
> > Is there a simple script somewhere to regenerate all the
> > server host keys for the new guest after cloning?
> 

  Is there a process for pre-generating keys so these keys
and .ssh/known_hosts can be pre-filled for all users/hosts?

  I dislike upgrading servers.  I use kickstart from updated sources
with integrated configuration files on a new virtual disk to produce an
upgraded server without touching the live server.  This gives me the
chance to test the new server prior to making it live and verifies I can
reproduce a failed server at need.  Also, this allows me to restage
firewalls automatically on a schedule.  Let's see a rootkit survive a
clean install.

  Currently, I'm allowing the keys to be regenerated, but it gets
annoying editing my known hosts to remove old entries.

  There's got to be a better way.