Question on SSH configuration in a cluster environment.

From: Snoopy_ (snoopy__at_excite.com)
Date: 01/16/04 

Date: 16 Jan 2004 06:45:54 -0800

Issue: When a failover happens in a cluster, users can no longer
connect via ssh because of the changed host key. I believe users are
connecting to the logical/virtual cluster hostname, yet the
known_hosts file is picking up the public key from the physical host.
If the user removes that host from its known_host file, then
reconnection is successfull.

 In investigating the ssh configuration issue for the cluster I have
found the following.

1. The issue is that when a failover happens from primary to secondary
node/server, there are ssh connection issues because the host_keys are
different on each server; probably because they were installed
separately and generated separately. If this is the case, I believe
the "known_hosts" file on the two nodes of the cluster has nothing to
do with the issue. It seems that the "known_host" file is used by the
client, and they exist in any user's .ssh directory when a connection
is established to a foreign hosts.
2. There are three ways to resolve the issue:
    a. Place the /usr/local/etc/ssh* and /usr/local/ssh files on a
shared file system (resource), that is exported and imported when
failovers of the cluster occur.
    b. Copy the /usr/local/etc/ssh* and /usr/local/ssh files from the
current node, onto the secondary node. This may cause problems in
the future if changes are made (host key regenerated), someone would
need to remember to copy the changes across the nodes.
    c. Find someway to edit the ssh-config file so that it can be
resolved through configuration.

Any ideas are welcomed. Thanks.

Snoopy_

P.S. Below are some old new posts that I found that speak about the
same issue.

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=ggs92a.e43.ln%40charon.heiming.de&rnum=2&prev=/groups%3Fq%3Dssh%2Bcluster%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dggs92a.e43.ln%2540charon.heiming.de%26rnum%3D2

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=m1l1ylwuijr.fsf%40sys1.des.jhy.us.ml.com&rnum=1&prev=/groups%3Fq%3Dssh%2Bcluster%2Bhost-key%26hl%3Den%26selm%3Dm1l1ylwuijr.fsf%2540sys1.des.jhy.us.ml.com%26rnum%3D1

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=8qii5.4707%24T2.62950%40news.tli.de&rnum=7&prev=/groups%3Fq%3Dssh%2Bcluster%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3D8qii5.4707%2524T2.62950%2540news.tli.de%26rnum%3D7

Relevant Pages

  • Re: How to create an ssh chain A->B->C to do http over ssh across the chain?
    ... running the following on host A: ... will be forwarded over an SSH connection to port 8080 on host B. The ... second "ssh" command running on B, meanwhile, will then act as a SOCKS ...
    (Debian-User)
  • Re: Password Guessing
    ... > I have an ssh gateway linux-box which is the victim of daily visits by ... Like this, on any ssh connection the script ssh-throttle will be called, ... supplied with the IP address of the source host, ...
    (comp.security.ssh)
  • Re: rcp and rlogin
    ... I just tried three ssh connections to work to machines my ip should not be ... Connection closed by remote host ... ssh: connect to host port 22: Connection timed out ...
    (RedHat)
  • Question on SSH configuration in a cluster environment.
    ... When a failover happens in a cluster, ... known_hosts file is picking up the public key from the physical host. ... In investigating the ssh configuration issue for the cluster I have ... there are ssh connection issues because the host_keys are ...
    (comp.security.ssh)
  • Question on SSH configuration in a cluster environment.
    ... When a failover happens in a cluster, ... known_hosts file is picking up the public key from the physical host. ... In investigating the ssh configuration issue for the cluster I have ... there are ssh connection issues because the host_keys are ...
    (comp.unix.solaris)