This post attempts to describe a practical take on how to simplify the task of keeping old OpenSSH host keys when reinstalling servers running the Debian operating system or any of its derivatives such as e.g. Ubuntu. This might, or might not, be a good idea depending on circumstances. My previous blog post multiple custom commands with Debian Installer is recommended reading.
Before starting the reinstallation, make a backup of the keys using tar:
cd /; umask 077; tar --verbose --create --file ssh_hostkeys.tar etc/ssh/*_key*
The idea here is that the server will have all of its disks wiped and lose each and every file it ever had, so the next step is to copy the file to a secure location on some other suitable machine.
Include preserve-ssh_hostkeys.txt
as quoted below, and make sure gnupg gets
installed (d-i pkgsel/include string gnupg
should do the trick)
d-i partman/numbered_early_command_50 string \ wget https://www.netizen.se/debian/files/preserve_sshd_keys.sh; \ chmod +x preserve_sshd_keys.sh; \ ./preserve_sshd_keys.sh d-i preseed/numbered_late_command_50 string \ N=`debconf-get preserve-sshkeys/port_number`; \ P=`debconf-get preserve-sshkeys/passphrase`; \ [ -z "$N" ] || cat /tmp/ssh_hostkeys.tar.gpg | \ chroot /target/ /bin/sh -c "gpg --decrypt --passphrase '$P' --batch | \ tar xof -"
If everything is setup correctly, a couple of debconf questions should pop up. The first one asking to specify a port number to listen for a file transfer, and the next one asking to specify a passphrase used to encrypt the backup file prior to transfer, as illustrated by the screenshots. It should be pretty self-explanatory. Due to the sensitivity, the process requires this manual interaction at the start of the installation. Once the encrypted tar file has been uploaded, there is nothing preventing the rest of the installation to be fully automated with preseeding.
Please note how the preseed file downloads the shell script
preserve_sshd_keys.sh
from https://www.netizen.se/debian/files/. I have
no plans on adding backdoors, but you should be aware of the trust you put in
me before using it like that.