known_hosts(5) man page
Darren Tucker
dtucker at zip.com.au
Sun Oct 25 21:08:38 EST 2009
Dave Yost wrote:
> At 12:08 AM -0600 2009-10-25, Bob Proulx wrote:
>> Jim Rees wrote:
>>> Given that the hosts are interchangeable from the client's point of view,
>>> shouldn't they both have the same host key?
>> Let me second that. A pool of failover servers should have the same
>> host key. They aren't individual machines at that point. Like
>> mirrored disks they are logically mirrors of each other.
>
> Hard to say. These aren't really a failover or a load-balanced group.
> It's more like a server plus other machines that can be pressed into
> service to fill in for the server in a pinch, in addition to the
> other stuff they do.
The main question is: are they under the same administrative control?
The host key protects you against MITM, but by definition the server's
administrator can already conduct a MITM (since the server has access to
the decrypted traffic and the admins have access to the host keys). If
the machines are run by the same admins then you're not giving up much
by using the same host keys.
The other option for clusters (no applicable in this case from your
description) is to have "cluster package" that has a sshd bound to the
floating cluster address with its own host keys and have this sshd move
with the ddress.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list