Re: Clusters, known_hosts, host keys, and "REMOTE HOST IDENTIFICATION HAS CHANGED"

On Fri, Sep 18, 2009 at 10:08 AM, H. Kurth Bemis

Maybe the issue doesn't really involve modifying OpenSSH at all. If you
have access to the hosts, wouldn't it be possible to
pre-generate .known_hosts with all the host keys in your cluster? Then
each client would have every key in it's .known_hosts, so it wouldn't
matter which host the client was connecting to.

Then if one of the keys change, you can generate a new .known_hosts.
Users are still alerted if a key changes on it's own.

I don't have access to all the clients-- but that's not necessarily a
show-stopper. My understanding of how ssh works (and this would be a
great chance to be educated to the contrary) is that it only allows
one host key per hostname or IP and if the first key it finds in the
known_hosts doesn't match, you get the MitM warning. If this is NOT
how it's supposed to work, I'll try my tests again-- maybe I mangled
the extra keys I put into known_hosts for testing...

Whatever your final solution, please remember to share with the
class. :]

Absolutely! I've been known to have the same problem twice, and it's
helpful to be able to go back and search for my solution from the last
time. To say nothing of helping out all the other people who end up
with the same problem. :-)

-- Steve

Relevant Pages

  • RE: ICS clients cannot connect
    ... I've got this from the ICS host: ... I turned off ICS host and then enabled it. ... the client and entered "ipconfig /release". ... goto one of the client machines and do the same, ...
  • Re: HTTPS; SSL-Tunnel
    ... Referring Server Destination Host Name Transport MIME Type Object Source ... Source Proxy Destination Proxy Bidirectional Client Host Name Filter ... > SSL-tunnel OFT Website anonymous Internal External ...
  • =?Utf-8?Q?RE:_RE:_WCF_Service_Library:_=E2=80=9Cca?= =?Utf-8?Q?nnot_change_thread_mode_after
    ... Thank you for your response. ... It helped me solve the problem of the host ... (Notice that the client app can be any ... Microsoft MSDN Online Support Lead ...
  • Re: Socket - gaierror
    ... I suspect that the name of your client ... UNIX/Linux you can use the hostname command; ... e-mail via SMTP could need the local host name for at least two ... to resolve the odd-ball name that your system provides. ...
  • Re: 404 handler mkicks in before ISAPI filter
    ... The value you are getting for the URL is coming straight from the client. ... It is normal that the client does not send the host name as a part of the ... You can't tell without knowing a whole lot about both how the server is ... I installed debugging code in my filter and verified I only ...