Copying SSH host private keys between JUNOS devices to when replacing hardware

A certain customer of mine is (rightly or wrongly) pedantic about security warnings. Recently, we did a hardware replacement of a JUNOS device (an SRX240 firewall). While the config was a drop-in replacement, users who tried to SSH to the host post-migration would normally see an SSH “host key has changed” warning. In this environment, we wanted to eliminate this friction (and stop training our users to ignore security warnings), so we copied the following from the old device:

  • /etc/ssh/ssh_host_dsa_key
  • /etc/ssh/
  • /etc/ssh/ssh_host_rsa_key
  • /etc/ssh/

And overwrote the corresponding files in /etc/ssh/ on the new device. Surprisingly, no restart of the SSH service was required to effect this. But, of course, it had to be done as root.