John Sullivan wrote: > Personally, I vote for option #3, because it will reduce the number of > variables in debugging the inevitable problems that will appear in the > transition.
Thanks for commenting! (I will note that there was an additional private comment.) Not hearing any dissenting opinions I am executing option 3. > > Option 3: Do we use the old keys now through the transition but switch > > to the new host keys soon after completing the migration? Soon being > > 1-2 weeks. This would keep the immediate disruption minimized. It > > would allow us to back out of the switch, briefly return to the > > previous hosts if problems were found, without thrashing users. Done. The old host keys have been cloned onto the new machines. Note that for users such as those of us already working on the new systems we will have recorded in our known_hosts the newer and now preferred ecdsa-sha2-nistp256 keys rather than the previous ssh-rsa keys. Therefore those of us working already will be nicely surprised not to see a thrash to our own known_hosts files. :-) Bob