Re: Clusters, known_hosts, host keys, and "REMOTE HOST IDENTIFICATION HAS CHANGED"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2009-09-17 at 16:53 -0700, Steve Bonds wrote:
> SSH List-dwellers:
> 
> I'm using OpenSSH in an environment with lots of clusters.  These
> clusters have IP addresses which are associated with a particular
> application rather than with a particular host.  Oftentimes
> (especially for file transfers) it's helpful to ssh/scp to the IP
> address associated with the application rather than the one associated
> with the host.  However, given that each host has its own host key, we
> frequently get:
> 
> WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
> 
> Which of course panics the user the first time they see it, and causes
> them to ignore it the second time onward-- neither of which are
> desired behaviors...
> 
> I've thought about several solutions to this including:
> 
> 1) Make all the host keys the same (hundreds of hosts, kind of
> diminishes the value of a host key...)
> 2) Configure ssh to ignore host key changes (harder than you might
> think since often new ssh clients are brought in)
> 3) Give each application its own dedicated ssh and host key (tricky to
> set up and monitor, fairly high effort)
> 4) Tweak OpenSSH so that it will accept any host key from a list
> (requires some programming effort, might not be a good idea)
> 5) Other?
> 
> What do you all think of option 4?  In particular, I was thinking that
> there might be a way to allow hosts on the same subnet to simply
> prompt to add the additional key for the same DNS name rather than
> popping up the man-in-the-middle warning.  If there were multiple keys
> present in known_hosts for a given hostname, any of them would be
> accepted.
> 
> Could this be done without weakening the host security of OpenSSH?
> Should I instead just hold The Great Re-Keying and go with option 1?
> 
> I appreciate any advice.
> 
> Thanks,
> 
>   -- Steve Bonds

Maybe the issue doesn't really involve modifying OpenSSH at all.  If you
have access to the hosts, wouldn't it be possible to
pre-generate .known_hosts with all the host keys in your cluster?  Then
each client would have every key in it's .known_hosts, so it wouldn't
matter which host the client was connecting to.

Then if one of the keys change, you can generate a new .known_hosts.
Users are still alerted if a key changes on it's own.

Whatever your final solution, please remember to share with the
class. :]

~k


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux