Different HostKeys for different hostnames or IPs in the same sshd?..

Damien Miller djm at mindrot.org
Wed Sep 21 11:44:53 EST 2011


On Tue, 20 Sep 2011, Mikhail T. wrote:

> Hello!
> 
> Like many organizations, we have "disaster-recovery" location, where separate
> servers are running ready to take up important services should the primary
> location fail.
> 
> Some of the services provided involve accepting files over scp (and sftp), and
> here is the problem... The primary and the secondary hosts use different
> host-keys... If the hosts were accessed as "service-primary.example.net" and
> "host-dr.example.net", this would be fine, but the users (and the automated
> tools) would have to be told, which name to use.

If these machines are replicas of each other and are subject to similar
security controls then there is no reason they cannot have the same key.

Unless you store keys in DNSSEC, OpenSSH doesn't have a mechanism to allow
two hosts with the sane name to use different keys.

-d


More information about the openssh-unix-dev mailing list