The Host Key rotation is supported since OpenSSH 6.8 (both client and server adds support in this version).
So the process should work like this:
- Generate and add new keys with the option
HostKey newkey
(after the existing ones) to the /etc/ssh/sshd_config
- Restart
sshd
- The clients have to set up
UpdateHostKeys yes
in their configuration (either globally, or per-host)
- The connecting clients will pick up all the new keys
- After some time (months?) you can remove the old keys from the
sshd_config
and restart sshd
- The clients (that connected during the transition period) will already have the new keys (the old will not be removed, which is the only problem here) and they will not show the MitM attack warning.
The new enough-clients will be able to pick up the new keys. This feature is not enabled by default, probably because it is quite new and soon showed some security consideration. But these days, it should be fine to use it.
AFAIK, the scp protocol isn't documented anywhere else than it the source code of scp.c
, so here is an attempt to an outline of how scp
works.
When either the source or the destination is a remote machine, scp
will use ssh
to connect and start a scp
program on it: if the copy direction is from the remote to the local, it will be started as scp -f src
(from / source), otherwise it will be started as scp -t dst
(to / sink), and the local scp
will assume the opposite posture.
After this the two scp processes are running on both ends of the scp connection, using it as their stdin/stdout and passing the file data and metadata over it.
Both ends could use the following responses to acknowledge messages or signal some error condition:
"\0"
: OK
"\1%s\n", err_msg
: non-fatal error
"\2%s\n", err_msg
: fatal error
The transfer starts by the to / sink scp sending a \0
(OK) ack.
Then the from / source scp will use the following messages:
"C%04o %lld %s\n", mode, size, filename
: create a file
this is followed by size
bytes of file data, and an ack (\0
= OK)
"D%04o 0 %.1024s\n", mode, dirname
: start of directory
recursively followed by C
, D
or T
messages, until a
"E\n"
: end of directory
"T%llu 0 %llu 0\n", mtime, atime
: file times
this is sent before the C
or D
messages, if the -p
switch was used.
These messages will have to be ack'ed by the other side before proceding further, including the C
before sending the file data, and the ack sent after it.
In the C
and D
messages above, newlines and other control chars (except \t
and \x7f
) in the file/dir name will be escaped as eg. \^J
, but will not be unescaped at the destination; a literal \^J
or \^M
in the original name will be left as-is.
The difference between fatal and non-fatal errors is not consistent; only \1
(non-fatal) errors will be generated by either side, but some of them will be considered fatal, and scp
will exit upon sending or receiving them, leaving the other side to hold both pieces. Both sides will exit upon a \2
(fatal) error or anything unexpected.
Unlike in http, there are no provisions for sending the file data by chunks; if the source scp
is no longer able to read some big file it has started sending after the C
message, it will send up to its size
NUL bytes before the \1
error message / nak.
Best Answer
Terminals only understand characters, not keys. So al function keys are encoded as sequences of characters, using control characters. Apart from a few common ones that have an associated control character (Tab is
Ctrl+I
, Enter isCtrl+M
, Esc isCtrl+[
), function keys send escape sequences, beginning withCtrl+[ [
orCtrl+[ O
. You can use thetput
command to see what escape sequence applications expect for each function key on your terminal. These sequences are stored in theterminfo
database. For example, the shell snippet below shows the escape sequences corresponding to each function key.Another way to see the escape sequence for a function key is to press Ctrl+V in a terminal application that doesn't rebind the Ctrl+V key (such as the shell). Ctrl+V inserts the next character (which will be the escape character) literally, and you'll be able to see the rest of the sequence, which consists of ordinary characters.
Since the sequences may be awkward to type, do investigate changing the key bindings in your application or using another terminal emulator. Also, note that you may have a time limit: some applications only recognize escape sequences if they come in fast enough, so that they can give a meaning to the Esc key alone.