On Fri, Mar 15, 2019 at 6:40 AM Stephen Harris <lists@xxxxxxxxxx> wrote: > > On Fri, Mar 15, 2019 at 09:10:26AM +0000, Jochen Bern wrote: > > Imagine sysadminning a boatload of VMs getting IPs from a dynamic pool, a la > > > > $ for ADDR in $CUSTOMER_1_RANGE $CUSTOMER_2_RANGE... ; do > > > ping -c 1 -w 2 $ADDR >/dev/null 2>&1 && ssh root@$ADDR do_urgent_fix > > > done > > > > , and it mightn't be that much of a niche anymore ... > > And that's when you look at using certificate based host keys. And it fails miserably as soon as any of the intervening firewalls block ICMP, such as, say, the security group settings for an AWS deployed virtual host. You need to check with port 22 on TCP, not ICMP packets. This sort of thing is also why a casually assembled "doodz, just do this thing!!!" breaks down in the larger world. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev