PuTTY + cluster + server fingerprints - SSH

This is a discussion on PuTTY + cluster + server fingerprints - SSH ; We are using PuTTY for automated SFTP transfers to a cluster consisting of two servers; the cluster is connected to via an alias hostname. PuTTY will cache the fingerprint for the server it is directed to and store it in ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: PuTTY + cluster + server fingerprints

  1. PuTTY + cluster + server fingerprints

    We are using PuTTY for automated SFTP transfers to a cluster consisting
    of two servers; the cluster is connected to via an alias hostname.
    PuTTY will cache the fingerprint for the server it is directed to and
    store it in the Windows Registry associated with that alias hostname.
    The administrators of the cluster switch alias redirect between the two
    servers once a month to ensure a stable failover environment. The
    problem for our automation is that it fails each month because PuTTY
    will not store both fingerprints against the same hostname, only one
    may be associated with the alias hostname, so each month we have
    manually connect and re-accept a fingerprint before we are running
    again.
    I realize part of SSH security is to uniquely identify a hostname with
    a unique signature but is there any workaround for a cluster situation?
    Thanks for any input!

    Glenn


  2. Re: PuTTY + cluster + server fingerprints

    cartimus writes:
    >I realize part of SSH security is to uniquely identify a hostname with
    >a unique signature but is there any workaround for a cluster situation?


    Use the same host key for all hosts on the cluster. (This scheme assumes
    that if one cluster host is compromised, they effectively all are, and
    thus there is no gain in having separate host keys.)

    It's a fair comment that PuTTY could do with more flexibility in host
    key management, however.

  3. Re: PuTTY + cluster + server fingerprints


    Jacob Nevins wrote:
    > Use the same host key for all hosts on the cluster.


    Unfortunately we don't administer that cluster and that is unlikely to
    be allowed, I can ask! I was trying to find a workaround on the client
    side though PuTTY may in fact negate any attempt. Thx for the comment!

    Glenn


  4. Re: PuTTY + cluster + server fingerprints

    cartimus@gmail.com writes:
    >Jacob Nevins wrote:
    >> Use the same host key for all hosts on the cluster.

    >
    >Unfortunately we don't administer that cluster and that is unlikely to
    >be allowed, I can ask! I was trying to find a workaround on the client
    >side though PuTTY may in fact negate any attempt.


    In that case, here's a grim hack that will allow you to get round such
    issues with the current state of PuTTY:

    - On the Proxy panel, set "Proxy type" to Telnet and "Telnet command"
    to the empty string.

    - Set "Proxy hostname" and port to the real hostname and port you want
    to connect to.

    - On the "Session" panel, set the hostname and port to the name you
    want the host key to be stored under.

    What this does: the proxy setup creates a "null proxy" where a TCP
    connection to one hostname is used as a proxy for a connection to
    another hostname. The hostname/port you configure on the Session panel
    get used to decide where the SSH host key is stored / looked up, but are
    otherwise ignored, so they don't even have to correspond to a real
    hostname.

  5. Re: PuTTY + cluster + server fingerprints

    Thanks Jacob, I'll try for the next time the servers switch!


  6. Re: PuTTY + cluster + server fingerprints

    cartimus@gmail.com writes:
    >Thanks Jacob, I'll try for the next time the servers switch!


    I wouldn't bother -- I realised that my grim hack isn't much help to you
    -- it allows one to cope with a changing hostname with a single key, but
    not a changing key with a single hostname (your case).

    (Which is why I cancelled my post, but clearly not quickly enough.
    Google Groups has it.)

+ Reply to Thread