Clusters, known_hosts, host keys, and "REMOTE HOST IDENTIFICATION HAS CHANGED"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



SSH List-dwellers:

I'm using OpenSSH in an environment with lots of clusters.  These
clusters have IP addresses which are associated with a particular
application rather than with a particular host.  Oftentimes
(especially for file transfers) it's helpful to ssh/scp to the IP
address associated with the application rather than the one associated
with the host.  However, given that each host has its own host key, we
frequently get:

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

Which of course panics the user the first time they see it, and causes
them to ignore it the second time onward-- neither of which are
desired behaviors...

I've thought about several solutions to this including:

1) Make all the host keys the same (hundreds of hosts, kind of
diminishes the value of a host key...)
2) Configure ssh to ignore host key changes (harder than you might
think since often new ssh clients are brought in)
3) Give each application its own dedicated ssh and host key (tricky to
set up and monitor, fairly high effort)
4) Tweak OpenSSH so that it will accept any host key from a list
(requires some programming effort, might not be a good idea)
5) Other?

What do you all think of option 4?  In particular, I was thinking that
there might be a way to allow hosts on the same subnet to simply
prompt to add the additional key for the same DNS name rather than
popping up the man-in-the-middle warning.  If there were multiple keys
present in known_hosts for a given hostname, any of them would be
accepted.

Could this be done without weakening the host security of OpenSSH?
Should I instead just hold The Great Re-Keying and go with option 1?

I appreciate any advice.

Thanks,

  -- Steve Bonds

[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux