Partially Solved! Re:Multiple ssh keys in known_hosts possible?

Thu Jul 12 16:39:38 UTC 2007

Lennart Sorensen wrote:
> On Thu, Jul 12, 2007 at 12:23:36PM -0400, Madison Kelly wrote:
>>   I've got a situation where a few machines may answer an ssh request 
>> to a given IP. Specifically, I've got port forwarding on my firewall 
>> that routes certain (>1024) ports to machines MASQ'ed behind it. In the 
>> other case, I have a 2-node cluster. During fail over the slave node 
>> would answer requests (specifically; from the backup server running 
>> rsync over ssh).
>>
>>   The problem is that because the IP /doesn't/ change, ssh sees a 
>> different key and refuses to connect. Is there a way to tell ssh that 
>> keys A *or* B are valid for IP X?
> 
> I very much doubt it.  ssh is paranoid about matching host keys against
> IP addresses.  It wants to protect you from accidentally connecting to a
> different machine that you thought you were talking to.  You probably
> should just have seperate IPs for each machine and ssh to the one you
> want explicitly.
> 
> Now if you find a way to make ssh allow this it would actually be handy.
> I have seen some people forward different ports to ssh on different
> internal machines, and unfortunately ssh doesn't note the port number
> along with the host key either, which makes that not work well.
> 
> --
> Len Sorensen

Thanks Len and Neil!

   Go figure, I've been looking for an answer since yesterday, and as 
soon as I ask for help I find the answer. *Sigh*

   Here's what you do, "for the record":

Edit/create:
~/.ssh/config

   For each host at a given IP add an entry like:

host machine1
hostname 111.222.33.44
hostkeyalias machine1
port 2244

host machine2
hostname 111.222.33.45
hostkeyalias machine2
port 2245

   Then connect to the machine by it's alias:

$ ssh -X machine1

   This way an different key will be added for 'machine1' and 'machine2'.

   This doesn't really solve my problem yet with trying to have the 
backup server connect to the primary node in the cluster (which can 
switch) but I will look into that more tomorrow. I might just need to 
add some logic to my backup program that says:

(pseudo-code)
if connect to masternode
{
	backup masternode
}
else
{
	backup slavenode
}

   If there is interest, I'll post my ssh-based solution if/when I find 
it. :)

Madi
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists