Going to be moving a server to new hardware in a new datacenter soon, and of course this means a new IP.
What is the correct process (if at all) to move the SSH keys from the original server to the new one so that connecting clients don't get any warnings or have to accept anything again?
Is it even possible, considering the IP is changing?
What files do I have to move? I'm assuming all of the ssh_host_* files.
Moving from RHEL 5 to Ubuntu 10.04.
You can move the keys from your current serer to the new server without much hassle. You just need to make sure they go into the same location and have the same permission.
Ideally though, you should take the opportunity to create new keys and update the client keys in the interest of security.
1) If your sshd config files are stored under /etc/ssh/, you'll need to copy all of those. You'll find the sshd config there, as well as the host-keypair.
Make sure you correctly copy the permissions too! The sshd will simply ignore keys that are not properly protected. (Good as well, as an unprotected private key is a very bad idea.)
2) If you have already added public keys of remote hosts that are trusted and don't require a password to log in anymore, you'll also have to copy that info in order for the auto-login to work again now. This info is stored normally in /home/-account-/.ssh/ (under authorized_keys). Again, don't forget the permissions here.
Regarding the IP address change, assuming the remote clients actually see a change in IP (you're not behind some reverse proxy or anything), then no, they will require the user the accept the certificate again. (since in the known_hosts file of the remote client, the server's IP & server's certificate were stored together) Worse, if you assign that IP address to another ssh server, they might even be warned of a man-in-the-middle attack.
So just using the same (external) IP address on the new server makes sense.
You didn't mention your OS. I can tell you for certain that a RHEL host has the server keys stored in /etc/ssh. Just copy that directory over in its entirety. You'll then need to bounce sshd/restart the box.
I believe that as long as you are connecting via the same DNS name, you shouldn't get warnings. Even with the new IP.
--Christopher Karel