bogdan / SSH-Infrastructure
SSH-Infrastructure / docs / KEY_MIGRATION.md
bogdan Add automated SSH key migration tooling
99edaff 2 weeks ago History
1 contributor
126 lines | 3.207kb

SSH Key Migration: Legacy to Modern

Overview

This document describes the process for migrating hosts from legacy SSH keys (id_rsa_old) to modern keys (id_ed25519).

Rationale

  • Legacy key (id_rsa_old from 2015): RSA 2048-bit, older algorithm support
  • Modern key (id_ed25519): EdDSA 256-bit, better security, smaller key size, faster

Automatic Migration

Migrate all legacy hosts

tools/migrate-modern-key.sh

This will: 1. Check all hosts in inventory/hosts-local.yaml legacy_infrastructure group 2. Test if modern key already works 3. Use legacy key to install modern key if needed 4. Verify modern key works after installation

Migrate specific host

tools/migrate-modern-key.sh is-baobab

Manual Migration (if script fails)

For a specific host, e.g., is-nasturel:

1. Interactive password auth

If password is available:

ssh -o PubkeyAuthentication=no sshd@192.168.2.144 \
  "mkdir -p ~/.ssh && \
   echo '$(cat ~/.ssh/id_ed25519.pub)' >> ~/.ssh/authorized_keys && \
   chmod 600 ~/.ssh/authorized_keys"

2. Through jump host (is-jumper)

If accessible through is-jumper:

ssh is-jumper \
  "ssh -o StrictHostKeyChecking=accept-new sshd@192.168.2.144 \
    'mkdir -p ~/.ssh && echo \$(cat ~/.ssh/id_ed25519.pub) >> ~/.ssh/authorized_keys'"

3. Physical/console access

If all else fails, use console/IPMI access to manually: - Edit /home/sshd/.ssh/authorized_keys - Add modern key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5...

Adding New Hosts

When adding new legacy hosts to the inventory:

  1. In inventory/hosts-local.yaml: add host to legacy_infrastructure group
  2. Run deployment: tools/deploy-local.sh
  3. Run migration: tools/migrate-modern-key.sh <new-host>
  4. Commit: git add . && git commit -m "Add/migrate <host>"

Status Tracking

Check which hosts have been migrated:

# Modern key working
for h in $(grep -oE "is-[a-z0-9-]+" inventory/hosts-local.yaml | sort -u); do
  timeout 1 ssh -o BatchMode=yes "$h" true 2>/dev/null && echo "$h: ✓" || echo "$h: ⚠"
done

Key Files

  • Modern (preferred): ~/.ssh/id_ed25519
  • Legacy (deprecated): ~/.ssh/keys/id_rsa_old

Both should be kept until all hosts are migrated.

Removing Legacy Key

Once all hosts migrated and verified:

# Backup first
cp ~/.ssh/keys/id_rsa_old ~/.ssh/keys/id_rsa_old.backup

# Remove from SSH config (if any explicit config)
grep -r "id_rsa_old" . && echo "Still in use" || echo "Safe to remove"

# Safe to delete after backup
rm ~/.ssh/keys/id_rsa_old

Troubleshooting

"Permission denied (publickey)" with modern key

→ Host still using legacy auth only. Use tools/migrate-modern-key.sh <host>

Legacy key also fails to connect

→ Host might be offline or firewall blocked. Check connectivity first:

ping 192.168.2.91  # Replace with host IP

SSH hangs or times out

→ Reduce timeout, check firewall rules. Use -o ConnectTimeout=2 flag.

References

Gitprep Version v2.6.2 build on Mojolicious
DBViewer