Re: OpenSSH on 2 servers in cluster (fail over mode)

---

• From: per@xxxxxxxxxxxx (Per Hedeland)
• Date: Fri, 22 Jun 2007 09:11:30 +0000 (UTC)

---

In article <MPG.20e5a4efad8694de9896a0@localhost> kill bill
<bill@xxxxxxxxxxxxx> writes:

The problem I have is that, when I do a ssh from A to B, A stores the
fingerprint of B in its own known_hosts file. When B fails, C becomes
active, and the VIP goes from B to C. For A, it is the same IP and the
same DNS name.
But, on the next connection, A complains that the host keys have
changed. This is quite normal.
I've tried to copy all ssh_host_* files from B to C, in order to avoid
the problem. But, even after restarting sshd on C, the fingerprint is
different from the one of B....

This should work, you must have made some mistake - e.g. copied from or
to the wrong directory, forgot to restart sshd, or somesuch. Also be
sure to preserve ownership/mode of the key files, and verify that the
file names agree with sshd_config. As has been pointed out before here,
doing it this way has a somewhat negative effect on security - I think
the primary argument was that if any of the hosts in such a cluster gets
compromised, the attacker can impersonate all of them.

My question is : is there a way to make this work without modifying the
known_host file of A (because A does NOT know if whether B or C is
active) ?

You can do as above, or you can have multiple keys associated with a
given host name in known_hosts (i.e. you could have the VIP/name
associated with the keys for both B and C) - the latter would have to be
arranged manually though, and thinking about it, I'm not sure it
improves security all that much. I would be an improvement for the case
when you connect "directly" to one of the hosts for maintenance or
whatever I guess.

Second question (only for my understanding) : how is the fingerprint
defined ?

I don't know exactly off-hand, but generally it's enough to know that a
given key will always have the same fingerprint, and that it's
"extremely unlikely" (but obviously possible) for two different keys to
produce the same fingerprint.

--Per Hedeland
per@xxxxxxxxxxxx
.

---

• References:
  • OpenSSH on 2 servers in cluster (fail over mode)
    • From: kill bill

• Prev by Date: Re: prompt or not prompt for the password depending on the user
• Next by Date: Re: ExitOnForwardFailure, does it work after connection is established?
• Previous by thread: OpenSSH on 2 servers in cluster (fail over mode)
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Fingerprint as cryptokey ... which uses the user's fingerprint to dynamically generate the key. ... This is a HUGE step backward from the security of the systems being ... ATMs are safer than debit cards, which is the opposite of what you claim. ... I know my system better than you, and my RSA keys can be any length. ... (sci.crypt) Re: ssh login problem ... >>> Host key verification failed. ... >> see this complain bitterly about keys that don't match. ... >I guess the idea here is to confirm that the fingerprint is correct. ... that's a fairly narrow window for attack. ... (comp.security.ssh) Re: ssh warning about man in middle attack ... > I went to connect to a machine using ssh to check on email, ... > first time, ... Someone could have changed the sshd keys on the remote host. ... fingerprint you get in the above warning message. ... (comp.os.linux.security) Re: ssh warning about man in middle attack ... > I went to connect to a machine using ssh to check on email, ... > first time, ... Someone could have changed the sshd keys on the remote host. ... fingerprint you get in the above warning message. ... (comp.security.ssh) Re: OpenSSH and SSH incompatibilities? ... it shows me a fingerprint that doesn't look ... If you were using the OpenSSH client to talk to ... normal format; the format you're seeing is that used by the ssh.com ... no keys look like that. ... (comp.security.ssh)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)