About multiple hosts with same hostname
Rick Jones
rick.jones2 at hp.com
Wed Apr 1 05:22:14 EST 2009
Christian Iversen wrote:
> Rick Jones wrote:
>
>>Christian Iversen wrote:
>>
>>>Hello all
>>>
>>>I have a somewhat annoying problem with OpenSSH. Now, granted, it's
>>>certainly not a bug. I'm just wondering what the best course of action
>>>is.
>>>
>>>At work, we have multiple customers with machines named "fw0", "fs0",
>>>etc. This is all good, since it conforms to a standard naming scheme,
>>>so it's easier to administrate.
>>>
>>>However, when we go to our customers' sites, we often issue commands
>>>like "ssh user at fw0", which of course gives out endless warnings about
>>>MITM attacks, and essentially makes host keys worthless on the
>>>internal customer networks.
>>>
>>>It seems somewhat wrong to me. Isn't there some way to make OpenSSH
>>>save the host key using the FQDN instead of just the local part? That
>>>would solve this problem. Is there some other commonly accepted way of
>>>dealing with this that doesn't involve making all our host names unique?
>>
>>FQDNs _are_ unique host names. Or at least they are supposed to be.
>
>
> Oh, of course they are. But as I said, the problem is that we often use
> only the local part.
Then it seems the fault lies not in your stars/software :)
> Our FQDNs are always globally unique, otherwise a ton of things would break.
>
>
>>So, it would seem that simply saying ssh user at FQDN is going to be the
>>way to go. It has been my experience that if one uses the FQDN that is
>>what will go into the file.
>
>
> Mine too. I might just set up some zsh completion and perhaps some
> aliases to work around the extra typing involved.
Even without zsh completion, you might "get by" with what I will call "PQDN" -
Partially Qualified Domain Name. If your sites only differ by the first
sub-domain then you can go:
ssh user at foo.bar
ssh user at foo.baz
ssh user at foo.bing
rather than:
ssh user at foo.bar.com.
ssh user at foo.baz.fred.com.
ssh user at foo.bing.ethel.org.
(being picky and putting the "root dot" to have the software really know it is an
FQDN and saving some DNS queries :)
>>>Bonus question: We have 2 storage servers (let's call them storage0
>>>and storage1), and between them they run a floating IP address with a
>>>heartbeat-monitored NFS daemon (let's call that nfs0).
>>>
>>>Now, obviously the host key changes whenever there's been a failover,
>>>and so again we get this same kind of problem. What to do in this
>>>case? Any ideas?
>>
>>Always ssh to the unique rather than shared name?
>
>
> Well, since they mount a shared disk which is only available on the
> active nfs host, we need to actually ssh to the nfs server in
> maintenance and backup scripts. Any ideas?
Have the standby cross-mount the shared disc filesystem(s) from the active NFS?
server?
rick jones
More information about the openssh-unix-dev
mailing list