On Thu, 2009-09-17 at 16:53 -0700, Steve Bonds wrote: > SSH List-dwellers: > > I'm using OpenSSH in an environment with lots of clusters. These > clusters have IP addresses which are associated with a particular > application rather than with a particular host. Oftentimes > (especially for file transfers) it's helpful to ssh/scp to the IP > address associated with the application rather than the one associated > with the host. However, given that each host has its own host key, we > frequently get: > > WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! > > Which of course panics the user the first time they see it, and causes > them to ignore it the second time onward-- neither of which are > desired behaviors... > > I've thought about several solutions to this including: > > 1) Make all the host keys the same (hundreds of hosts, kind of > diminishes the value of a host key...) > 2) Configure ssh to ignore host key changes (harder than you might > think since often new ssh clients are brought in) > 3) Give each application its own dedicated ssh and host key (tricky to > set up and monitor, fairly high effort) > 4) Tweak OpenSSH so that it will accept any host key from a list > (requires some programming effort, might not be a good idea) > 5) Other? > > What do you all think of option 4? In particular, I was thinking that > there might be a way to allow hosts on the same subnet to simply > prompt to add the additional key for the same DNS name rather than > popping up the man-in-the-middle warning. If there were multiple keys > present in known_hosts for a given hostname, any of them would be > accepted. > > Could this be done without weakening the host security of OpenSSH? > Should I instead just hold The Great Re-Keying and go with option 1? > > I appreciate any advice. > > Thanks, > > -- Steve Bonds Maybe the issue doesn't really involve modifying OpenSSH at all. If you have access to the hosts, wouldn't it be possible to pre-generate .known_hosts with all the host keys in your cluster? Then each client would have every key in it's .known_hosts, so it wouldn't matter which host the client was connecting to. Then if one of the keys change, you can generate a new .known_hosts. Users are still alerted if a key changes on it's own. Whatever your final solution, please remember to share with the class. :] ~k
