Re: prompt to update a host key

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, Mar 15, 2019 at 6:40 AM Stephen Harris <lists@xxxxxxxxxx> wrote:
>
> On Fri, Mar 15, 2019 at 09:10:26AM +0000, Jochen Bern wrote:
> > Imagine sysadminning a boatload of VMs getting IPs from a dynamic pool, a la
> >
> > $ for ADDR in $CUSTOMER_1_RANGE $CUSTOMER_2_RANGE... ; do
> > > ping -c 1 -w 2 $ADDR >/dev/null 2>&1 && ssh root@$ADDR do_urgent_fix
> > > done
> >
> > , and it mightn't be that much of a niche anymore ...
>
> And that's when you look at using certificate based host keys.

And it fails miserably as soon as any of the intervening firewalls
block ICMP, such as, say, the security group settings for an AWS
deployed virtual host. You need to check with port 22 on TCP, not ICMP
packets. This sort of thing is also why a casually assembled "doodz,
just do this thing!!!" breaks down in the larger world.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux