Different HostKeys for different hostnames or IPs in the same sshd?..
Mikhail T.
mi+thun at aldan.algebra.com
Wed Sep 21 06:12:08 EST 2011
Hello!
Like many organizations, we have "disaster-recovery" location, where separate
servers are running ready to take up important services should the primary
location fail.
Some of the services provided involve accepting files over scp (and sftp), and
here is the problem... The primary and the secondary hosts use different
host-keys... If the hosts were accessed as "service-primary.example.net" and
"host-dr.example.net", this would be fine, but the users (and the automated
tools) would have to be told, which name to use.
So, we want to use an "umbrella" DNS name "service.example.net" to control the
destination. Under normal circumstances, it is a CNAME for the
"service-primary.example.net", but in case of a disaster, it will be changed to
"service-dr.example.net".
How do we configure things so that the users and the automated scripts aren't
"freaked-out" by the key of "service.example.net" suddenly changing, when the
DNS is changed? Other than both machines using the same hostkey, of course...
Can sshd use a different key depending on which name it is contacted under --
that is, does the ssh-protocol have anything like HTTP's Host:-header? If not,
can sshd offer a different key depending on the IP-address, that the incoming
connection uses?
Thanks for any ideas. Yours,
-mi
More information about the openssh-unix-dev
mailing list