freebsd security - Feb 2007 - post-reload SSH server key transfer ... comments ?

I am going to be replacing system X with system Y (which is much faster, newer).

I will load up the new system from scratch, and then just copy over the user
data from the old system.  Then I will turn off the old system for good, and set
the IP and hostname of the new system to match the old one.

Easy.  Except everyones ssh connections will complain loudly about potential
MITM attacks, etc. ...

So, am I correct that I can just tar up /etc/ssh on the old system and use it to
overwrite /etc/ssh on the new system, and that's that ?  No warning message
or other problems ?

ALSO, am I correct that if I copy over their home directories that contain their
~/.ssh/authorized_keys that those will continue to work just fine even though
they are on a new server ?

I guess as far as remote users are concerned, it _won't_ be a new system -
since hostname, IP, and host ssh keys will be the same ... but I like to be
careful and that is why I am asking for a sanity check here...

All comments appreciated.  Thanks.

 
---------------------------------
Don't get soaked.  Take a quick peak at the forecast 
 with theYahoo! Search weather shortcut.

On Mon, Feb 05, 2007 at 05:51:38PM -0800, Arone Silimantia
wrote:
> 
> I am going to be replacing system X with system Y (which is much
> faster, newer).
>
> I will load up the new system from scratch, and then just copy over
> the user data from the old system.  Then I will turn off the old
> system for good, and set the IP and hostname of the new system to
> match the old one.
>
> Easy.  Except everyones ssh connections will complain loudly about
> potential MITM attacks, etc. ...
>
> So, am I correct that I can just tar up /etc/ssh on the old system and
> use it to overwrite /etc/ssh on the new system, and that's that ? No
> warning message or other problems ?
Yes.  Actually, the files you need are "/etc/ssh/*_key
/etc/ssh/*_key.pub".
The others may contain settings you want to move, but don't effect the
machine's ssh identity.
> ALSO, am I correct that if I copy over their home directories that
> contain their ~/.ssh/authorized_keys that those will continue to work
> just fine even though they are on a new server ?
Yes, they contain no knowledge of the server they are on.

-- Brooks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20070206/9396a2ec/attachment.pgp