Re: ssh'ing to Cluster IP aliases.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2008-04-24 at 14:10 -0500, Bennie Thomas wrote:
> I have a 3-node Cluster set up as 2-nodes active and one passive. I have 
> assigned 2 IP Aliases
> to fail over. The problem I am having is;  When I ssh to the IP aliases 
> the first time it works fine,
> I then failover the IP alias service to the backup node, then try 
> ssh'ing to the alias,  it fails with man in the middle attack
> 
> I know I can go modify .ssh/known_hosts and remove the host key and it 
> will work, but if the alias fails back to the
> original node the problem starts all over.
> 
> How can I set up ssh to allow this connection. ?

What I usually do is:

- make a copy of the sshd init script and place it somewhere
besides /etc/init.d (/cluster/scripts?)

- change the global sshd config file to bind to a *specific* VIP on the
host.

- create a separate config file for the cluster VIP using different host
keys for the cluster IP address

- copy service-specific sshd script / config / host keys to other
cluster node(s)

- add the copied script as part of the cluster service with the VIP you
want

You'll end up with 2 sshd instances running on the host when the service
is enabled - one for the host's IP with specific keys/etc. for that IP,
and one running for the cluster IP address with its own set of keys.

Because the host keys are distributed between the cluster nodes for this
address, no matter where the cluster IP is, it should work - IP matches
and the keys match :)

-- Lon

--
Linux-cluster mailing list
Linux-cluster@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/linux-cluster

[Index of Archives]     [Corosync Cluster Engine]     [GFS]     [Linux Virtualization]     [Centos Virtualization]     [Centos]     [Linux RAID]     [Fedora Users]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite Camping]

  Powered by Linux