Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- host authentication in a cluster
- Donzi Guy
December 20, 2006, 4:31 am
rate this thread
We are having some discussions around solving client connections to
various cluster VIPs or Logical Hosts. The cluster nodes have sshd
running on them with the host keys generated from basically the fqdn of
the individual servers. However, clients connect to the cluster via a
floating IP for the entire complex and can connect to any node depending
on the circumstances. If a failover occurs then the connection is
re-initiated the host key changes and you get the alert of the MITHM
attack which breaks these unattended sessions.
One solution is to populate the known_hosts file on each client with all
the keys from each individual box + generate a key for the virtual address.
I'm sure this problem has been run into many, many times, but in reading
the ssh docs and googling I haven't seen a solution to this problem that
doesn't involve a shared known hosts file for every client! We have
10,000 + clients so this is unmanageable!
Ideas anyone? Oh, commercial products aren't acceptable either! We are
running both VCS and Sun Cluster and have mostly Solaris 10 sparc servers
that we are concerned with at this time.
- Richard E. Silverman
December 20, 2006, 6:10 am
- » rsync shooting itself in the foot by setting permission 000 on directory
- — Next thread in » Secure Shell Forum
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum