risk of same fingerprint for ssh?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
We have two clusters with 3 pairs of machines, cluster A consisting of a
pair of application servers and a pair of MySQL servers, cluster B
consisting of a pair of apache tomcat servers.

Only the machines in cluster B have public IP's. Customers connect to
the primary server in Cluster B, of course. The server in Cluster B
connects to the servers in cluster A.

The 2 MySQL servers are reachable through virtual addresses for the
primary and the secondary server. Now an external server has to connect
to the secondary server via SSH. If the fingerprints for the 2 MySQL
servers are different, we have a problem, if the virtual address is
moving to the other server.

We could give both servers the same fingerprint, but is this dangerous?
If yes, why?

Thank you in advance!


Re: risk of same fingerprint for ssh?

Quoted text here. Click to load it

If I understand your architecture right, you’re not worried about the
frontend servers being unable to distinguish the backend servers from
one another.

You might care about other clients being able to distinguish them,
however, for instance when you log in to them for management purposes.

You might be able to solve this by having multiple host keys - i.e. one
shared between the backend servers and used for access from the frontend
servers, and then one for each backend server used for management

I don’t know how well this would work if they were of the same type, but
you can certainly have multiple host keys of different types with
OpenSSH, which might be good enough, depending whether you have any
requirements about key type.


Site Timeline