On Wed 02 Feb 2022 at 14:28:40 (-0500), Greg Wooledge wrote: > On Wed, Feb 02, 2022 at 02:21:08PM -0500, gene heskett wrote: > > When I change something, like rebooting the rpi4 running my big Sheldon > > lathe, from debian buster to debian bullseye, the keyfile changes, and I > > get an explicit error telling me to run ssh-keygen to remove the > > offending key, which I do, [...] > > What *I* would do is copy the host key files from the buster instance > (the one that your client recognizes as valid) into the bullseye > instance. That way, the client will recognize *both* server instances > as the same host. > > The host keys are in the /etc/ssh/ directory in Debian. There are > several files, and they all begin with ssh_host. Just copy them over > and make sure the permissions are retained. (The ones without .pub on > the end are meant to be private, so they have tighter permissions.) > > If you're not running Debian, but instead are running some perverse > derivative that changes everything but still calls its releases "buster" > and "bullseye" in order to maximize confusion, then your host keys might > be in some other directory.
I do similar, after checking that the keys look as if they were generated by the same scheme. I do this just after Grub has been installed on the disk, ie at "Finish the installation". In a shell on VC2, or another remote ssh connection, I type: # mount /dev/<previous-Debian-partition> /mnt # cp -ipr /mnt/etc/ssh/s*[by] /target/etc/ssh/ # cp -ipr /mnt/root/.ssh (and most of root's dotfiles) /target/root/ The reason I do this in the d-i is because I typically install over a ssh connection, and when the machine reboots at the end and I want to login remotely to finish the configuration, I can just type (from local's root): # ssh -X hostname and I'm in. To summarise, the upshot is that to install a new system, I visit the machine to plug in a USB installer stick, boot up from it using the one-time-boot option, and run these commands: │ Choose language │ │ Configure the keyboard │ │ Detect and mount CD-ROM │ │ Load installer components from CD │ → network-console: Continue installation remotely using SSH ← │ Detect network hardware │ │ Configure the network │ │ Continue installation remotely using SSH │ set a password (I use the hostname) and return to my comfortable chair. I never /have to/ revisit the target machine again.¹ One other trick: I run the remote installer with: $ ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null installer@hostname which avoids polluting my ~/.ssh/known_hosts with the ephemeral host key being used by the installer. ¹ unless I want my stick back. (Desktop machines are configured with magic-packet wake-up in the BIOS.) Cheers, David.