# SSH Key Migration: Legacy to Modern

## Overview

This document describes the process for migrating hosts from legacy SSH keys (`id_rsa_old`) to modern keys (`id_ed25519`).

## Rationale

- **Legacy key** (`id_rsa_old` from 2015): RSA 2048-bit, older algorithm support
- **Modern key** (`id_ed25519`): EdDSA 256-bit, better security, smaller key size, faster

## Automatic Migration

### Migrate all legacy hosts

```bash
tools/migrate-modern-key.sh
```

This will:
1. Check all hosts in `inventory/hosts-local.yaml` legacy_infrastructure group
2. Test if modern key already works
3. Use legacy key to install modern key if needed
4. Verify modern key works after installation

### Migrate specific host

```bash
tools/migrate-modern-key.sh is-baobab
```

## Manual Migration (if script fails)

For a specific host, e.g., `is-nasturel`:

### 1. Interactive password auth

If password is available:

```bash
ssh -o PubkeyAuthentication=no sshd@192.168.2.144 \
  "mkdir -p ~/.ssh && \
   echo '$(cat ~/.ssh/id_ed25519.pub)' >> ~/.ssh/authorized_keys && \
   chmod 600 ~/.ssh/authorized_keys"
```

### 2. Through jump host (is-jumper)

If accessible through is-jumper:

```bash
ssh is-jumper \
  "ssh -o StrictHostKeyChecking=accept-new sshd@192.168.2.144 \
    'mkdir -p ~/.ssh && echo \$(cat ~/.ssh/id_ed25519.pub) >> ~/.ssh/authorized_keys'"
```

### 3. Physical/console access

If all else fails, use console/IPMI access to manually:
- Edit `/home/sshd/.ssh/authorized_keys`
- Add modern key: `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5...`

## Adding New Hosts

When adding new legacy hosts to the inventory:

1. **In `inventory/hosts-local.yaml`**: add host to `legacy_infrastructure` group
2. **Run deployment**: `tools/deploy-local.sh`
3. **Run migration**: `tools/migrate-modern-key.sh <new-host>`
4. **Commit**: `git add . && git commit -m "Add/migrate <host>"`

## Status Tracking

Check which hosts have been migrated:

```bash
# Modern key working
for h in $(grep -oE "is-[a-z0-9-]+" inventory/hosts-local.yaml | sort -u); do
  timeout 1 ssh -o BatchMode=yes "$h" true 2>/dev/null && echo "$h: ✓" || echo "$h: ⚠"
done
```

## Key Files

- **Modern (preferred)**: `~/.ssh/id_ed25519`
- **Legacy (deprecated)**: `~/.ssh/keys/id_rsa_old`

Both should be kept until all hosts are migrated.

## Removing Legacy Key

Once all hosts migrated and verified:

```bash
# Backup first
cp ~/.ssh/keys/id_rsa_old ~/.ssh/keys/id_rsa_old.backup

# Remove from SSH config (if any explicit config)
grep -r "id_rsa_old" . && echo "Still in use" || echo "Safe to remove"

# Safe to delete after backup
rm ~/.ssh/keys/id_rsa_old
```

## Troubleshooting

### "Permission denied (publickey)" with modern key

→ Host still using legacy auth only. Use `tools/migrate-modern-key.sh <host>`

### Legacy key also fails to connect

→ Host might be offline or firewall blocked. Check connectivity first:

```bash
ping 192.168.2.91  # Replace with host IP
```

### SSH hangs or times out

→ Reduce timeout, check firewall rules. Use `-o ConnectTimeout=2` flag.

## References

- [Ed25519 SSH keys - OpenSSH](https://man.openbsd.org/ssh-keygen)
- [Why Ed25519 is superior to RSA](https://ianix.com/pub/ed25519-deployment.html)