connecting to a virtual host: host key mismatch
Ulrich.Windl at rz.uni-regensburg.de
Thu Sep 11 19:02:01 EST 2003
On 11 Sep 2003 at 18:36, Darren Tucker wrote:
> Ulrich Windl wrote:
> > I have a kind of problem: I need to connect to a virtual host (a f "floating"
> > IP address) that is one of two physical hosts in a HA environment. Yesterday
> > the virtual IP address was moved to another host.
> > Today ssh refuses to connect, because the host key is different. Reading the
> > documentation I found that there is no command line option (documented) to
> > temporarily bypass "StrictHostKeyChecking", and it seems to be impossible to
> > specify multiple alternative hostkeys for a virtual host in "knows_hosts" (it
> > would make sense however IMHO).
> ssh -o StrictHostKeyChecking=no clusterhost ?
Yes, I found that out myself in the meantime. Thanks anyway.
> > Using the same host keys for both machines is not what I would like to do
> > (assuming it would help), and I don't want to disable "StrictHostKeyChecking"
> > globally.
> In ssh_config or $HOME/.ssh/config:
> Host clusterhost
> StrictHostKeyChecking no
> > So what's the (or a good) solution?
> Generate a set of keys for each node, plus a set for each floating
> address. Have each node run its own sshd listening on its main IP address
> with its "node" keys, and the machine with the production address run
> another sshd on it with the "floating" keys. Note that this means you
> have to migrate the production sshd along with the rest of your production
A clever suggestion. I have something similar for Samba already.
> I'd probably just use the same keys for all the machines in the cluster.
> The keys are to prevent a MITM attack, and since all of the machines in
> the cluster are presumably under the same administrative control, I don't
> think separate keys buy you much.
Also true. So I conclude that SSH will not complain if different hosts use
the same key.
Thanks a lot!
More information about the openssh-unix-dev