Re: Problem with using same dsa hostkeys on 2 different machines, one of which is backup

From: Darren Tucker (dtucker_at_dodgy.net.au)
Date: 03/26/04 

Date: Fri, 26 Mar 2004 05:50:47 +0000 (UTC)

In article <a9de1686.0403252047.69c4887@posting.google.com>,
Kapil <kapiltj@yahoo.com> wrote:
>I generate the host dsa key pair on one computer. Then I copy the
>public and private keys to another computer which is to serve as a
>backup to this one. So it will have the same ip address and domain
>name if the active one goes down.
>When I connect to the active from a client computer, it gives no error
>since the host keys are known.
>
>Now after rebooting the active, the backup takes over. Now when trying
>to ssh to it I get the unknown host key error. When removing the known
>host key and trying again the client box gets the new public key which
>is very different than what is stored on the backup computer (which is
>essentially the same as the one on active). Could some one please let
>me know why this is happening?
>How is the client getting a different key? Can it even know it is a
>different hardware that it is talking to?

When sshd is installed on each system, a set of "host keys", and the host
keys are different between your main system and your backup system. When
you connect to the backup server, your SSH client notices that the keys
have changed and gives that error.

The easiest way to resolve it is to copy the host keys from your primary
system to the backup (for OpenSSH these are /usr/local/etc/ssh*key*).

>P.S. Please try and cc me.

If you ask here then read it here. 

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Relevant Pages

  • Re: How to configure dual SSH keys?
    ... client authentication keys normally used by the root account on the SSH ... client host. ... on the client, not the server, while the latter is on the server but ...
    (comp.security.ssh)
  • Re: host-based ssh authentication (no password) not working ... help needed
    ... > host public keys for the server should be known to ... keys - no user home directories should be involved at ... I am simply sharing host keys so that all users ... on CLIENT can login to SERVER with no passwords ... ...
    (freebsd-questions)
  • Re: Central key-management for openssh
    ... I don't know if it matters what host you are on when you run ... What I would do in your case is to run ssh-keygen in your post install ... which will install the keys whereever you'd like, or you can install an rc ... quantity of servers is to build the servers without the keys, ...
    (comp.security.ssh)
  • Re: OpenSSH: which public keys are required/recommended?
    ... > DM> has DSA key but no RSA key in authorized_keys2, ... > An authorized_keys file contains not host keys, ... I just generated RSA host keys for affected hosts. ...
    (comp.security.ssh)
  • Re: Client connect without host service running?
    ... >I stopped the openssh service on the host and tried logging on from the ... >on the host and deleted the host's public and private keys - afterwards, ... >client logged in fine. ...
    (comp.security.ssh)