Add instructions for installing the host key on Front.

diff --git a/README.org b/README.org
index 821d9fdadd47653c0ffa430e0950eeece904a949..c19feb2322f6f909b7798a5c9f29e98b8cf0f304 100644 (file)
--- a/README.org
+++ b/README.org
@@ -978,6 +978,24 @@ file, copied it to the droplet, and installed it as the
 : notebook$ rm admin_keys
 : notebook$
 
+The Ansible configuration expects certain host keys on the new front.
+The administrator should install them now, and deal with the machine's
+change of SSH identity.  The following commands copied the host keys
+in =Secret/ssh_front/= to the droplet and restarted the SSH server.
+
+: notebook$ scp Secret/ssh_front/etc/ssh/ssh_host_* sysadm@159.65.75.60:
+: notebook$ ssh sysadm@159.65.75.60
+: sysadm@ubuntu$ chmod 600 ssh_host_*
+: sysadm@ubuntu$ chmod 644 ssh_host_*.pub
+: sysadm@ubuntu$ sudo cp -b ssh_host_* /etc/ssh/
+: sysadm@ubuntu$ sudo systemctl restart ssh
+: sysadm@ubuntu$ logout
+: notebook$ ssh-keygen -f ~/.ssh/known_hosts -R 159.65.75.60
+
+The last command removes the old host key from the administrator's
+=known_hosts= file.  The next SSH connection should ask to confirm the
+new host identity.
+
 The administrator then tested the password-less ssh login as well as
 the privilege escalation command.
 
@@ -7093,7 +7111,31 @@ each machine).
 ( cd; umask 077; mkdir .ssh; cp admin_key .ssh/authorized_keys )
 #+END_SRC
 
-** The Test Ansible Configuration
+The ~front~ machine needs a little additional preparation.  Ansible
+will configure ~front~ with the host keys in =Secret/=.  These should
+be installed there now so that ~front~ does not appear to change
+identities while Ansible is configuring.
+
+First, the host keys are securely copied to ~front~ with the following
+command.
+
+#+BEGIN_SRC sh
+scp Secret/ssh_front/etc/ssh/ssh_host_* sysadm@192.168.57.3:
+#+END_SRC
+
+Then they are installed with these commands.
+
+#+BEGIN_SRC sh
+chmod 600 ssh_host_*
+chmod 644 ssh_host_*.pub
+sudo cp -b ssh_host_* /etc/ssh/
+#+END_SRC
+
+Finally, the system administrator removes the old identity of ~front~.
+
+: ssh-keygen -f ~/.ssh/known_hosts -R 192.168.57.3
+
+** Configure Test Machines
 
 At this point the three test machines ~core~, ~gate~, and ~front~ are
 running fresh Debian systems with select additional packages, on their
@@ -7101,8 +7143,6 @@ final networks, with a privileged account named ~sysadm~ that
 authorizes password-less access from the administrator's notebook,
 ready to be configured by Ansible.
 
-** Configure Test Machines
-
 To configure the test machines, the ~./inst config~ command is
 executed and ~core~ restarted.  Note that this first run should
 exercise all of the handlers, /and/ that subsequent runs probably /do