I'm changing between computers.
On an old one I have SSH keys (to remote servers, AWS, etc...)
Is it considered to be a good practice just to copy the .ssh folder to a new computer ?
If not, what is a proper way to handle it ?
Add a comment |
3 Answers
Yes, if you change the machine from which you access your servers, you can just copy the ~/.ssh directory from the old machine to the new one. It is unnecessary (and cumbersome) to generate a new key pair for every server. You just need the private keys on your new machine.
Remember that ~/.ssh contains sensitive data (private keys), so transfer it via a secure medium (SCP or a USB drive, for instance; not via e-mail!). Also, be sure to dispose of the private keys stored on the old machine.
- 1Public key at the end has information about machine name (username@machine_name), does it have any influence if machine name will be different ?Michael D– Michael D2023-03-14 15:31:58 +00:00Commented Mar 14, 2023 at 15:31
- 1Not really, that's for information only.dr_– dr_2023-03-14 15:34:08 +00:00Commented Mar 14, 2023 at 15:34
No - it's not considered best practice to copy your ~/.ssh folder to a new computer. Instead, on your new computer, create your ~/.ssh folder from scratch using:
$ ssh-keygen followed up by:
$ ssh-copy-id username@remote_host to copy your public key to each of your ssh server hosts.
There's a good tutorial covering some rare contingencies here. Once you're ready to permanently sideline your old computer, be sure to remove the contents of its ~/.ssh folder.
If you prefer to copy your entire ~/.ssh folder from your old machine to your new one, you can do this in some situations. Simply copy the entire ~/.ssh folder on your old machine to a USB drive. Once that's been done move the USB drive to the new machine, mount it, and copy its contents to the ~/.ssh folder on the new computer using the cp -a command to preserve proper permissions; something like this:
$ cp -a /mnt/myusb/.ssh/. ~/.ssh/ 
- Why it's not a best practice ? In case of using ssh-copy-id, I will need to do it to each of the server separately. Also, there variuse services like github and etc. In case of using ssh-copy-id, I'm afraid, that I may forget about some of remote servers, and then I may loose an access to them.Michael D– Michael D2023-03-14 15:38:35 +00:00Commented Mar 14, 2023 at 15:38
- 2In case the system has multiple SSH keys, the full command is
ssh-copy-id -i <keyfile> user@hostPeregrino69– Peregrino692023-03-14 15:38:42 +00:00Commented Mar 14, 2023 at 15:38 - 1@MichaelD: I think it's the risk of getting something wrong. However, if you prefer to copy the entire folder, you can do this under some situations as long as you take the precaution of copying with the same permissions - pls see my edit.Seamus– Seamus2023-03-14 16:44:41 +00:00Commented Mar 14, 2023 at 16:44
- 1@MichaelD It is a bad practice, because if you do it, you now have two client machines which can go the server as the same user. Since you can (physically can) copy data from old machine - that old machine is still in the working order. If, by any reason, you now fail to clean it up - the next user of that old machine can become "you".White Owl– White Owl2023-03-14 17:32:51 +00:00Commented Mar 14, 2023 at 17:32
- 2@MichaelD Probably, there are. But the user "duplication" I met myself. The company's machine died, user got a new one, and later the dead computer was revived and an intern got it. Intern was very surprised that he can go to server without a password, but stay silent. Months later it was a real pain to untangle who did what... So if you format the old HDD - probably you avoid that pitfall, but that would depend on how effective the format is, and sometimes, some data can be retrieved even from formatted disks...White Owl– White Owl2023-03-14 18:31:49 +00:00Commented Mar 14, 2023 at 18:31
I strongly disagree with the answer by Seamus. Yes, it is good practice to replace your keys at appropriate intervals. Tying that to when you replace your hardware is usually not a good idea. You have enough things to worry about without losing all your remote access. It also won't be possible to use ssh-copy-id from the new computer unless you also allow password based authentication (which undermines most of the reasons for using key pair auth in the first place).
If you manage the servers for a multi-national bank or launch codes for ICBMs then you do need to think about the risks of your keys being recovered from your discarded hardware even after you securely erased the files. But for the rest of us, shred or secure-delete is sufficient.
- 1Assuming that you use a reasonable passphrase for your keys then the presence of those keys on discarded hardware will not help anybody access your systems. NIST does not have any guidelines that suggest regenerating keys on any kind of schedule.doneal24– doneal242023-03-15 00:42:37 +00:00Commented Mar 15, 2023 at 0:42