How do I do this? - SSH

This is a discussion on How do I do this? - SSH ; We have a situation where we need more than one ssh key for a given host name. Example: a perl script runnning as rover@dog wants to ssh to fido@airdale without supplying a password. The problem is that airdale is mapped ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: How do I do this?

  1. How do I do this?

    We have a situation where we need more than one ssh key for a given
    host name.

    Example:

    a perl script runnning as rover@dog wants to ssh to fido@airdale
    without supplying a password. The problem is that airdale is mapped via
    DNS to either rottweiler or boxer. If we set the keys up for
    rottweiler, when we fail over to boxer we get the infamous:


    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
    @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle
    attack)!

    What to do?


  2. Re: How do I do this?

    >
    > We have a situation where we need more than one ssh key for a given
    > host name.
    >
    > Example:
    >
    > a perl script runnning as rover@dog wants to ssh to fido@airdale
    > without supplying a password. The problem is that airdale is mapped via
    > DNS to either rottweiler or boxer. If we set the keys up for
    > rottweiler, when we fail over to boxer we get the infamous:
    >
    >
    > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
    > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
    > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
    > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!


    -- [/etc/ssh/ssh_known_hosts] ----------------------------------------
    boxer,airdale ssh-rsa AABIwAAAIEA2gar1RaD+wKkPCbPodJp0d ... (boxer's key)
    rottweiler,airdale ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAmf0WZ ... (rottweiler's key)
    ----------------------------------------------------------------------

    The known-hosts files define a *set* of keys acceptable for authenticating
    a host; most people just think that set has to be a singleton.

    --
    Richard Silverman
    res@qoxp.net


  3. Re: How do I do this?

    alex.wolfson@omgeo.communist:
    >a perl script runnning as rover@dog wants to ssh to fido@airdale
    >without supplying a password. The problem is that airdale is mapped via
    >DNS to either rottweiler or boxer. If we set the keys up for
    >rottweiler, when we fail over to boxer we get the infamous:
    >[host id has changed]


    Accepting host keys and storing known host keys is client-side
    functionality in your ssh client. What software are you using? The OpenSSH
    ssh client, a Perl module, ...?

    --
    René Pijlman

    Wat wil jij leren? http://www.leren.nl

  4. Re: How do I do this?

    Richard E. Silverman schrieb:
    >> We have a situation where we need more than one ssh key for a given
    >> host name.
    >>
    >> Example:
    >>
    >> a perl script runnning as rover@dog wants to ssh to fido@airdale
    >> without supplying a password. The problem is that airdale is mapped via
    >> DNS to either rottweiler or boxer. If we set the keys up for
    >> rottweiler, when we fail over to boxer we get the infamous:
    >>
    >>
    >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
    >> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
    >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
    >> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

    >
    > -- [/etc/ssh/ssh_known_hosts] ----------------------------------------
    > boxer,airdale ssh-rsa AABIwAAAIEA2gar1RaD+wKkPCbPodJp0d ... (boxer's key)
    > rottweiler,airdale ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAmf0WZ ... (rottweiler's key)
    > ----------------------------------------------------------------------
    >
    > The known-hosts files define a *set* of keys acceptable for authenticating
    > a host; most people just think that set has to be a singleton.
    >


    You can also copy one host key to both servers, so both send the same
    key for the virtual name. Maybe this is not the savest method, but
    thanks for the hint for sets with multiple names!

    Wolfgang

  5. Re: How do I do this?

    >>>>> "WT" == wolfgang writes:

    WT> Richard E. Silverman schrieb:
    >>> We have a situation where we need more than one ssh key for a
    >>> given host name.
    >>>
    >>> Example:
    >>>
    >>> a perl script runnning as rover@dog wants to ssh to fido@airdale
    >>> without supplying a password. The problem is that airdale is
    >>> mapped via DNS to either rottweiler or boxer. If we set the keys
    >>> up for rottweiler, when we fail over to boxer we get the infamous:
    >>>
    >>>
    >>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@ @
    >>> WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
    >>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@ IT IS
    >>> POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

    >> -- [/etc/ssh/ssh_known_hosts]
    >> ---------------------------------------- boxer,airdale ssh-rsa
    >> AABIwAAAIEA2gar1RaD+wKkPCbPodJp0d ... (boxer's key)
    >> rottweiler,airdale ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAmf0WZ
    >> ... (rottweiler's key)
    >> ----------------------------------------------------------------------
    >> The known-hosts files define a *set* of keys acceptable for
    >> authenticating a host; most people just think that set has to be a
    >> singleton.
    >>


    WT> You can also copy one host key to both servers, so both send the
    WT> same key for the virtual name. Maybe this is not the savest
    WT> method

    Yes, but then you don't have the option of authenticating the servers
    individually; the only thing OpenSSH can tell you is that you've logged
    into one of them. Of course, if you can't distribute known-hosts or the
    equivalent to the clients, you may not have any choice.

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread