About multiple hosts with same hostname

Christian Iversen chrivers at iversen-net.dk
Wed Apr 1 05:04:13 EST 2009 

Rick Jones wrote:
> Christian Iversen wrote:
>> Hello all
>>
>> I have a somewhat annoying problem with OpenSSH. Now, granted, it's 
>> certainly not a bug. I'm just wondering what the best course of action 
>> is.
>>
>> At work, we have multiple customers with machines named "fw0", "fs0", 
>> etc. This is all good, since it conforms to a standard naming scheme, 
>> so   it's easier to administrate.
>>
>> However, when we go to our customers' sites, we often issue commands 
>> like "ssh user at fw0", which of course gives out endless warnings about 
>> MITM attacks, and essentially makes host keys worthless on the 
>> internal customer networks.
>>
>> It seems somewhat wrong to me. Isn't there some way to make OpenSSH 
>> save the host key using the FQDN instead of just the local part? That 
>> would solve this problem. Is there some other commonly accepted way of 
>> dealing with this that doesn't involve making all our host names unique?
> 
> FQDNs _are_ unique host names.  Or at least they are supposed to be.

Oh, of course they are. But as I said, the problem is that we often use 
  only the local part. Our FQDNs are always globally unique, otherwise a 
ton of things would break.

> So, it would seem that simply saying ssh user at FQDN is going to be the 
> way to go.  It has been my experience that if one uses the FQDN that is 
> what will go into the file.

Mine too. I might just set up some zsh completion and perhaps some 
aliases to work around the extra typing involved.

>> Bonus question: We have 2 storage servers (let's call them storage0 
>> and storage1), and between them they run a floating IP address with a 
>> heartbeat-monitored NFS daemon (let's call that nfs0).
>>
>> Now, obviously the host key changes whenever there's been a failover, 
>> and so again we get this same kind of problem. What to do in this 
>> case? Any ideas?
> 
> Always ssh to the unique rather than shared name?

Well, since they mount a shared disk which is only available on the 
active nfs host, we need to actually ssh to the nfs server in 
maintenance and backup scripts. Any ideas?

-- 
Med venlig hilsen
Christian Iversen

More information about the openssh-unix-dev mailing list