A certain customer of mine is (rightly or wrongly) pedantic about security warnings. Recently, we did a hardware replacement of a JUNOS device (an SRX240 firewall). While the config was a drop-in replacement, users who tried to SSH to the host post-migration would normally see an SSH โ€œhost key has changedโ€ warning. In this environment, we wanted to eliminate this friction (and stop training our users to ignore security warnings), so we copied the following from the old device:

  • /etc/ssh/ssh_host_dsa_key
  • /etc/ssh/ssh_host_dsa_key.pub
  • /etc/ssh/ssh_host_rsa_key
  • /etc/ssh/ssh_host_rsa_key.pub

And overwrote the corresponding files in /etc/ssh/ on the new device. Surprisingly, no restart of the SSH service was required to effect this. But, of course, it had to be done as root.

Youโ€™ve successfully subscribed to ๐Ÿง‘โ€๐Ÿ’ป Funky Penguin
Welcome back! Youโ€™ve successfully signed in.
Great! Youโ€™ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.