ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SSH Keys and migrating to a new device

    Scheduled Pinned Locked Moved IT Discussion
    ssh keysmigration
    20 Posts 7 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch @wirestyle22
      last edited by JaredBusch

      @wirestyle22 said in SSH Keys and migrating to a new device:

      So RTFM and it seems like ssh-copy-id is the correct command to do this. Is that correct? I know this isn't what you're asking, but anytime something like this comes up that I haven't done I attempt to figure out how to do it.

      ssh-copy-id user@newhost.domain.com

      No, that adds the public key to the authorized_keys file.

      1 Reply Last reply Reply Quote 4
      • JaredBuschJ
        JaredBusch
        last edited by

        What you have to migrate is your id_rsa and id_rsa.pub

        [12:39 jbusch ~]$ ls -la .ssh/
        total 28
        drwx------.  2 jbusch jbusch 4096 May 28 23:50 .
        drwxrwxr-x+ 32 jbusch jbusch 4096 Jun 28 21:38 ..
        -rw-------.  1 jbusch jbusch 3243 May 28 23:50 id_rsa
        -rw-r--r--.  1 jbusch jbusch  745 May 28 23:50 id_rsa.pub
        -rw-r--r--.  1 jbusch jbusch 8079 Jun 18 19:58 known_hosts
        
        1 Reply Last reply Reply Quote 2
        • scottalanmillerS
          scottalanmiller
          last edited by

          I think moving it is fine. It's like migrating a profile. In some big places where I have worked, your keys were kept in NFS so that no matter here you signed in from, you got your central key. I agree with not having the same key in multiple places. But shifting it from one machine to another is fine.

          1 Reply Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch
            last edited by

            Here is how you do it assuming Fedora/Korora 25

            We are assuming that the username is the same on both machines because this is a migration.

            • On the new machine, start the SSH server. Since this is a laptop/desktop, it should not be running normally.
            systemctl start sshd
            
            • On the new machine, make sure you have no private key yet. There should not be anything here. If there is, you have to figure out what you are already using a private key for.
            [12:53 jbusch ~]$ ls -la ~/.ssh/
            drwx------.  2 jbusch jbusch 4096 May 28 23:50 .
            drwxrwxr-x+ 32 jbusch jbusch 4096 Jun 28 21:38 ..
            
            • On the old machine use rsync to transfer everything.
            rsync /home/jbusch/.ssh/* jbusch@10.254.103.242:/home/jbusch/.ssh/
            jbusch@10.254.103.242's password: 
            
            • On your new machine turn the SSH server back off
            systemctl stop sshd
            
            • Test a login from your new machine to some server
            ssh 10.254.0.108
            Last login: Fri Jun 30 12:53:31 2017 from 24.14.15.238
            [jbusch@relay ~]$
            
            wirestyle22W 1 Reply Last reply Reply Quote 3
            • wirestyle22W
              wirestyle22 @JaredBusch
              last edited by wirestyle22

              @JaredBusch Thanks. This is great. I'm going to spin some VM's up on my home server and do this

              JaredBuschJ 1 Reply Last reply Reply Quote 0
              • JaredBuschJ
                JaredBusch @wirestyle22
                last edited by JaredBusch

                @wirestyle22 said in SSH Keys and migrating to a new device:

                @JaredBusch Thanks. This is great

                Again, you want a unique private key on every device, in order to lock things out discretely. Otherwise if you simply had the same private key everywhere, you would lose all access form every device just because your laptop was compromised and you had to lock out the public key.

                So this process is really only something that should ever happen on a profile migration.

                scottalanmillerS wirestyle22W stacksofplatesS 3 Replies Last reply Reply Quote 3
                • scottalanmillerS
                  scottalanmiller @JaredBusch
                  last edited by

                  @JaredBusch said in SSH Keys and migrating to a new device:

                  @wirestyle22 said in SSH Keys and migrating to a new device:

                  @JaredBusch Thanks. This is great

                  Again, you want a unique private key on every device, in order to lock things out discretely. Otherwise if you simply had the same private key everywhere, you would lose all access form every device just because your laptop was compromised and you had to lock out the public key.

                  So this process is really only something that should ever happen on a profile migration.

                  I agree. And you want your keys labelled with their origination device, easier to track.

                  wirestyle22W 1 Reply Last reply Reply Quote 0
                  • wirestyle22W
                    wirestyle22 @JaredBusch
                    last edited by

                    @JaredBusch said in SSH Keys and migrating to a new device:

                    @wirestyle22 said in SSH Keys and migrating to a new device:

                    @JaredBusch Thanks. This is great

                    Again, you want a unique private key on every device, in order to lock things out discretely. Otherwise if you simply had the same private key everywhere, you would lose all access form every device just because your laptop was compromised and you had to lock out the public key.

                    So this process is really only something that should ever happen on a profile migration.

                    Understood. That would make administrating those devices unnecessarily difficult

                    1 Reply Last reply Reply Quote 0
                    • wirestyle22W
                      wirestyle22 @scottalanmiller
                      last edited by

                      @scottalanmiller said in SSH Keys and migrating to a new device:

                      @JaredBusch said in SSH Keys and migrating to a new device:

                      @wirestyle22 said in SSH Keys and migrating to a new device:

                      @JaredBusch Thanks. This is great

                      Again, you want a unique private key on every device, in order to lock things out discretely. Otherwise if you simply had the same private key everywhere, you would lose all access form every device just because your laptop was compromised and you had to lock out the public key.

                      So this process is really only something that should ever happen on a profile migration.

                      I agree. And you want your keys labelled with their origination device, easier to track.

                      If you're nuking the profile after you migrate it what benefit would that give you?

                      JaredBuschJ scottalanmillerS 2 Replies Last reply Reply Quote 0
                      • JaredBuschJ
                        JaredBusch @wirestyle22
                        last edited by

                        @wirestyle22 said in SSH Keys and migrating to a new device:

                        @scottalanmiller said in SSH Keys and migrating to a new device:

                        @JaredBusch said in SSH Keys and migrating to a new device:

                        @wirestyle22 said in SSH Keys and migrating to a new device:

                        @JaredBusch Thanks. This is great

                        Again, you want a unique private key on every device, in order to lock things out discretely. Otherwise if you simply had the same private key everywhere, you would lose all access form every device just because your laptop was compromised and you had to lock out the public key.

                        So this process is really only something that should ever happen on a profile migration.

                        I agree. And you want your keys labelled with their origination device, easier to track.

                        If you're nuking the profile after you migrate it what benefit would that give you?

                        He means on the server side.

                        1 Reply Last reply Reply Quote 1
                        • scottalanmillerS
                          scottalanmiller @wirestyle22
                          last edited by

                          @wirestyle22 said in SSH Keys and migrating to a new device:

                          @scottalanmiller said in SSH Keys and migrating to a new device:

                          @JaredBusch said in SSH Keys and migrating to a new device:

                          @wirestyle22 said in SSH Keys and migrating to a new device:

                          @JaredBusch Thanks. This is great

                          Again, you want a unique private key on every device, in order to lock things out discretely. Otherwise if you simply had the same private key everywhere, you would lose all access form every device just because your laptop was compromised and you had to lock out the public key.

                          So this process is really only something that should ever happen on a profile migration.

                          I agree. And you want your keys labelled with their origination device, easier to track.

                          If you're nuking the profile after you migrate it what benefit would that give you?

                          That you know that that one key still represents just one device.

                          1 Reply Last reply Reply Quote 1
                          • wirestyle22W
                            wirestyle22
                            last edited by

                            @JaredBusch @scottalanmiller OH, got it. Thanks.

                            1 Reply Last reply Reply Quote 0
                            • stacksofplatesS
                              stacksofplates @JaredBusch
                              last edited by stacksofplates

                              @JaredBusch said in SSH Keys and migrating to a new device:

                              @wirestyle22 said in SSH Keys and migrating to a new device:

                              @JaredBusch Thanks. This is great

                              Again, you want a unique private key on every device, in order to lock things out discretely. Otherwise if you simply had the same private key everywhere, you would lose all access form every device just because your laptop was compromised and you had to lock out the public key.

                              So this process is really only something that should ever happen on a profile migration.

                              Ya it's a big advantage to having automounted home directories or having LDAP store the keys. You can easily revoke and add another key and have it work everywhere.

                              Or using Kerberos instead of pub/priv keys.

                              I realize @JaredBusch knows this, but for others who may not.

                              1 Reply Last reply Reply Quote 3
                              • 1 / 1
                              • First post
                                Last post