Re: Question on SSH configuration in a cluster environment.
From: Snoopy_ (snoopy__at_excite.com)
Date: 01/20/04
- Next message: David Magda: "Re: what are the Best Security Conferences to attend"
- Previous message: Security Alert: "SSRT3556 /usr/lbin/rwrite"
- In reply to: Richard E. Silverman: "Re: Question on SSH configuration in a cluster environment."
- Next in thread: Richard E. Silverman: "Re: Question on SSH configuration in a cluster environment."
- Reply: Richard E. Silverman: "Re: Question on SSH configuration in a cluster environment."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 20 Jan 2004 13:01:41 -0800
Thanks for the replies, I think the idea of having seperate keys and
thenusing two entries works best, however, how will outgoing
connections from the servers be affected?
For example: Server A and B have seperate host keys, which allow you
to connect to each server regardless who is the primary node. What
happens on remote hosts when I try to connect from one of the nodes?
I assume I just need to make sure the known_host files in the
user's/application's .ssh directory are identical? Also, can I place
these keys in a shared disk resource that follows the primary node, or
does the authentication in the .ssh/known_host depend on the host key
for decrytion? In other words, I need to sets of .ssh/known_host for
each user as well.
Richard E. Silverman <res@qoxp.net> wrote in message news:<m2isja1jp3.fsf@darwin.oankali.net>...
> >>>>> "KL" == Kyler Laird <Kyler@news.Lairds.org> writes:
>
> >> b. Copy the /usr/local/etc/ssh* and /usr/local/ssh files from the
> >> current node, onto the secondary node.
>
> KL> Sounds like a winner. If everything is configured identicially so
> KL> that a failover can occur easily, why not have ssh look the same
> KL> too?
>
> Because now it is impossible for SSH to tell the difference between these
> hosts in *any* situation, not just when users are connecting to the
> clustered service. In other words, when someone does "ssh cluster," they
> simply want to be assured that they are logging into one of the cluster
> machines -- which the solution given here allows:
>
> http://groups.google.com/groups?&threadm=m1l1ylwuijr.fsf%40sys1.des.jhy.us.ml.com
>
> However, if a sysadmin does "ssh cluster-member-1", he wants to be assured
> he's actually logging into that box. Giving them all the same key defeats
> that ability; if one box is compromised, they can all be spoofed.
- Next message: David Magda: "Re: what are the Best Security Conferences to attend"
- Previous message: Security Alert: "SSRT3556 /usr/lbin/rwrite"
- In reply to: Richard E. Silverman: "Re: Question on SSH configuration in a cluster environment."
- Next in thread: Richard E. Silverman: "Re: Question on SSH configuration in a cluster environment."
- Reply: Richard E. Silverman: "Re: Question on SSH configuration in a cluster environment."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
