[Savannah-hackers-public] SSH host keys for the new machine?

[Bob Proulx]

Savannah Hackers,

The two systems vcs and download are routinely accessed by Savannah
users over ssh.  We are getting close to being able to switch over to
the new vcs0 and download0 machines.  Which brings this question of
plan.

Option 1: Do we use the previous 1024 bit SSH rsa host keys on the new
system?  If we do then users will not see any host fingerprint changes
and can transparently keep using, for example, git.sv.gnu.org and
never notice the difference.

Option 2: Do we use the new 2048 bit SSH rsa host keys freshly
generated on the new vcs0 and download0 servers?  If we do then every
ssh user will get the host changed warning message and need to update
their known_hosts file for this change.

Option 3: Do we use the old keys now through the transition but switch
to the new host keys soon after completing the migration?  Soon being
1-2 weeks.  This would keep the immediate disruption minimized.  It
would allow us to back out of the switch, briefly return to the
previous hosts if problems were found, without thrashing users.

I have a mixed reaction.  Part of me wants to jump immediately to the
longer key.  The older keys definitely need to be migrated away.  This
would advertise very loudly to all users that things have changed.  We
have put in a lot of effort and it will be nice to sing a little about
it.

But from a risk mitigation point I want to use the old keys just long
enough for us to switch to the new just in case we need to switch back
for a bit.  That would actually allow us to ping-pong if needed
without user thrash.  Then switch the host keys after we know we are
successfully there.

Therefore I think we should execute option #3 above.  Assaf, Karl,
What do you guys think?  Comments?

Bob