Transition existing weak keys automatically to better ones
Because some providers will have a weak host key algo saved in their provider directory, we want to detect that and transition them to a better one, when possible.
This came up because we ran into a problem in #7642 (closed) where providers that were using <= 0.7.1 had ecdsa host keys stored in their provider directories. But then 0.8 used a more modern ssh module, which disables the ecdsa host keys, which effectively kills your ability to ssh into the provider as soon as you have deployed there.
So we re-enable ecdsa host keys, but we want to develop a method for smooth transition to better algorithms. We can't do that with ssh-keyscan, but if we already have a valid host key with a weaker algorithm, we can do this:
When deploying leap cli will check the host keys and determine if they are weak, and if so, stop before doing anything and instead tell the admin that they need to upgrade their host key security, and that is done as follows:
leap node migrate-ssh-keys checking ssh host key (ssh into the node, using the existing stored host key, then do a ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key) host as a better ssh key than the one saved replacing key xxx with key yyy
(from redmine: created on 2016-02-09, relates #7642 (closed))