On Fri, Sep 18, 2009 at 10:08 AM, H. Kurth Bemis kurth-at-kurthbemis.com > Maybe the issue doesn't really involve modifying OpenSSH at all. If you > have access to the hosts, wouldn't it be possible to > pre-generate .known_hosts with all the host keys in your cluster? Then > each client would have every key in it's .known_hosts, so it wouldn't > matter which host the client was connecting to. > > Then if one of the keys change, you can generate a new .known_hosts. > Users are still alerted if a key changes on it's own. I don't have access to all the clients-- but that's not necessarily a show-stopper. My understanding of how ssh works (and this would be a great chance to be educated to the contrary) is that it only allows one host key per hostname or IP and if the first key it finds in the known_hosts doesn't match, you get the MitM warning. If this is NOT how it's supposed to work, I'll try my tests again-- maybe I mangled the extra keys I put into known_hosts for testing... > Whatever your final solution, please remember to share with the > class. :] Absolutely! I've been known to have the same problem twice, and it's helpful to be able to go back and search for my solution from the last time. To say nothing of helping out all the other people who end up with the same problem. :-) -- Steve
