host authentication in a cluster - SSH

This is a discussion on host authentication in a cluster - SSH ; Hi, We are having some discussions around solving client connections to various cluster VIPs or Logical Hosts. The cluster nodes have sshd running on them with the host keys generated from basically the fqdn of the individual servers. However, clients ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: host authentication in a cluster

  1. host authentication in a cluster

    Hi,

    We are having some discussions around solving client connections to
    various cluster VIPs or Logical Hosts. The cluster nodes have sshd
    running on them with the host keys generated from basically the fqdn of
    the individual servers. However, clients connect to the cluster via a
    floating IP for the entire complex and can connect to any node depending
    on the circumstances. If a failover occurs then the connection is
    re-initiated the host key changes and you get the alert of the MITHM
    attack which breaks these unattended sessions.

    One solution is to populate the known_hosts file on each client with all
    the keys from each individual box + generate a key for the virtual address.

    I'm sure this problem has been run into many, many times, but in reading
    the ssh docs and googling I haven't seen a solution to this problem that
    doesn't involve a shared known hosts file for every client! We have
    10,000 + clients so this is unmanageable!

    Ideas anyone? Oh, commercial products aren't acceptable either! We are
    running both VCS and Sun Cluster and have mostly Solaris 10 sparc servers
    that we are concerned with at this time.

  2. Re: host authentication in a cluster


    Why not simply use the same hostkey on all cluster nodes?

    --
    Richard Silverman
    res@qoxp.net


  3. Re: host authentication in a cluster

    On Wed, 20 Dec 2006 01:10:46 -0500, Richard E. Silverman wrote:

    >
    > Why not simply use the same hostkey on all cluster nodes?


    Yes, that's what we proposed. Customer says that didn't work, but I can't
    imagine why. I'll have the cluster to test with on Friday. Will post
    results after Christmas.

    Dante


+ Reply to Thread