prompt to update a host key
nkadel at gmail.com
Sat Mar 16 11:42:54 AEDT 2019
On Fri, Mar 15, 2019 at 6:40 AM Stephen Harris <lists at spuddy.org> wrote:
> On Fri, Mar 15, 2019 at 09:10:26AM +0000, Jochen Bern wrote:
> > Imagine sysadminning a boatload of VMs getting IPs from a dynamic pool, a la
> > $ for ADDR in $CUSTOMER_1_RANGE $CUSTOMER_2_RANGE... ; do
> > > ping -c 1 -w 2 $ADDR >/dev/null 2>&1 && ssh root@$ADDR do_urgent_fix
> > > done
> > , and it mightn't be that much of a niche anymore ...
> And that's when you look at using certificate based host keys.
And it fails miserably as soon as any of the intervening firewalls
block ICMP, such as, say, the security group settings for an AWS
deployed virtual host. You need to check with port 22 on TCP, not ICMP
packets. This sort of thing is also why a casually assembled "doodz,
just do this thing!!!" breaks down in the larger world.
More information about the openssh-unix-dev