known_hosts(5) man page

Darren Tucker dtucker at zip.com.au
Sun Oct 25 21:08:38 EST 2009


Dave Yost wrote:
> At 12:08 AM -0600 2009-10-25, Bob Proulx wrote:
>> Jim Rees wrote:
>>> Given that the hosts are interchangeable from the client's point of view,
>>> shouldn't they both have the same host key?
>> Let me second that.  A pool of failover servers should have the same
>> host key.  They aren't individual machines at that point.  Like
>> mirrored disks they are logically mirrors of each other.
> 
> Hard to say. These aren't really a failover or a load-balanced group.
> It's more like a server plus other machines that can be pressed into
> service to fill in for the server in a pinch, in addition to the
> other stuff they do.

The main question is: are they under the same administrative control? 
The host key protects you against MITM, but by definition the server's 
administrator can already conduct a MITM (since the server has access to 
the decrypted traffic and the admins have access to the host keys).  If 
the machines are run by the same admins then you're not giving up much 
by using the same host keys.

The other option for clusters (no applicable in this case from your 
description) is to have "cluster package" that has a sshd bound to the 
floating cluster address with its own host keys and have this sshd move 
with the ddress.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list