Migrate Host Keys
Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.
Overview
When migrating between VMs, you need to sync the server host keys. Existing SFTP users will have these cached on their local machines, and will get an error if the server host keys are different.
Background
When connecting via SFTP to an OpenSSH server, the SFTP client is presented with the server's host keys. This is how the server proves its identity.
The first time you connect, you are prompted to type yes
to cache
the server host keys. On subsequent connections, you are not prompted
because the server host keys match the entry stored in your cache:
~/.ssh/known_hosts
If the server host keys change, they will no longer match your cached entries. The SFTP client then encounters an error.
Migration
During a migration, you need to remember to sync your server host keys.
Every time a new VM spins up, it dynamically generates its own set of server host keys. These are located here:
/etc/ssh/ssh_host_<algorithm>_key
/etc/ssh/ssh_host_<algorithm>_key.pub
There is a key pair for each supported algorithm (e.g. ecdsa
).
You will need to copy each file from the old server to the new.
On the old server, copy the files to the ec2-user
's home directory.
sudo su
mkdir /home/ec2-user/server_host_keys/
cd /etc/ssh/
cp -a ssh_host_* /home/ec2-user/server_host_keys/
cd /home/ec2-user/
tar czvpf server_host_keys.tar.gz server_host_keys
From your computer, you can SCP these files down:
scp -i private.key ec2-user@ip-address-old-server:/home/ec2-user/server_host_keys.tar.gz .
From your computer, you can SCP these files up to the new server:
scp -i private.key ec2-user@ip-address-new-server:/home/ec2-user/
On the new server, move the new host keys aside:
sudo su
cd /etc/ssh
mkdir original-host-keys/
mv ssh_host_* original-host-keys/
And then extract the host keys from the old server:
cd /home/ec2-user/
tar xzvpf server_host_keys.tar.gz
cd server_host_keys/
mv ssh_host_* /etc/ssh/