Levelling up your geek-fu
junos ssh note

Copying SSH host private keys between JUNOS devices to when replacing hardware

by funkypenguin 1 min read

A certain customer of mine is (rightly or wrongly) pedantic about security warnings. Recently, we did a hardware replacement of a JUNOS device (an SRX240 firewall). While the config was a drop-in replacement, users who tried to SSH to the host post-migration would normally see an SSH โ€œhost key has changedโ€ warning. In this environment, we wanted to eliminate this friction (and stop training our users to ignore security warnings), so we copied the following from the old device:

  • /etc/ssh/ssh_host_dsa_key
  • /etc/ssh/ssh_host_dsa_key.pub
  • /etc/ssh/ssh_host_rsa_key
  • /etc/ssh/ssh_host_rsa_key.pub

And overwrote the corresponding files in /etc/ssh/ on the new device. Surprisingly, no restart of the SSH service was required to effect this. But, of course, it had to be done as root.

The link has been copied!
Youโ€™ve successfully subscribed to ๐Ÿง‘โ€๐Ÿ’ป Funky Penguin
Welcome back! Youโ€™ve successfully signed in.
Great! Youโ€™ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.