Is it possible to allow multiple SSH host keys for the same IP?
up vote
0
down vote
favorite
I have a script that needs to connect to the currently active head of a high-availability cluster.
Each node in the cluster has a fixed hostname and IP address.
The current head additionally has a "virtual IP". In the case of a switchover or failover, another node configures the "virtual IP" and begins acting as the head.
Can I just point my script at the virtual IP? Won't ssh complain about mismatching host keys when the cluster moves the virtual IP to a different node?
ssh failover
asked 2 days ago
n.st
5,22611843
add a comment |
up vote
0
down vote
favorite
I have a script that needs to connect to the currently active head of a high-availability cluster.
Each node in the cluster has a fixed hostname and IP address.
The current head additionally has a "virtual IP". In the case of a switchover or failover, another node configures the "virtual IP" and begins acting as the head.
Can I just point my script at the virtual IP? Won't ssh complain about mismatching host keys when the cluster moves the virtual IP to a different node?
ssh failover
asked 2 days ago
n.st
5,22611843
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have a script that needs to connect to the currently active head of a high-availability cluster.
Each node in the cluster has a fixed hostname and IP address.
The current head additionally has a "virtual IP". In the case of a switchover or failover, another node configures the "virtual IP" and begins acting as the head.
Can I just point my script at the virtual IP? Won't ssh complain about mismatching host keys when the cluster moves the virtual IP to a different node?
ssh failover
asked 2 days ago
n.st
5,22611843
I have a script that needs to connect to the currently active head of a high-availability cluster.
Each node in the cluster has a fixed hostname and IP address.
The current head additionally has a "virtual IP". In the case of a switchover or failover, another node configures the "virtual IP" and begins acting as the head.
Can I just point my script at the virtual IP? Won't ssh complain about mismatching host keys when the cluster moves the virtual IP to a different node?
ssh failover
ssh failover
asked 2 days ago
n.st
5,22611843
asked 2 days ago
n.st
5,22611843
asked 2 days ago
n.st
5,22611843
asked 2 days ago
n.st
5,22611843
asked 2 days ago
n.st
5,22611843
5,22611843
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
Yes, this is possible.
sshd(8) (from OpenSSH) specifies the format of known_host files (in the section SSH_KNOWN_HOSTS FILE FORMAT):
When performing host authentication, authentication is accepted if any matching line has the proper key; […]
It is permissible (but not recommended) to have several lines or different host keys for the same names. This will inevitably happen when short forms of host names from different domains are put in the file. It is possible that the files contain conflicting information; authentication is accepted if valid information can be found from either file.
Therefore you can just add the host keys of both HA heads to your ~/.ssh/known_hosts or /etc/ssh/ssh_known_hosts:
203.0.113.50 ssh-rsa AAAAB3NzaC1yc2…6Yh5sHpkyIZvXLB
203.0.113.50 ssh-rsa AAAAB3NzaC1yc2…R0RNVnMB6C4plFr
and ssh will connect to both of them without any complaints.
answered 2 days ago
n.st
5,22611843
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Yes, this is possible.
sshd(8) (from OpenSSH) specifies the format of known_host files (in the section SSH_KNOWN_HOSTS FILE FORMAT):
When performing host authentication, authentication is accepted if any matching line has the proper key; […]
It is permissible (but not recommended) to have several lines or different host keys for the same names. This will inevitably happen when short forms of host names from different domains are put in the file. It is possible that the files contain conflicting information; authentication is accepted if valid information can be found from either file.
Therefore you can just add the host keys of both HA heads to your ~/.ssh/known_hosts or /etc/ssh/ssh_known_hosts:
203.0.113.50 ssh-rsa AAAAB3NzaC1yc2…6Yh5sHpkyIZvXLB
203.0.113.50 ssh-rsa AAAAB3NzaC1yc2…R0RNVnMB6C4plFr
and ssh will connect to both of them without any complaints.
answered 2 days ago
n.st
5,22611843
add a comment |
up vote
1
down vote
Yes, this is possible.
sshd(8) (from OpenSSH) specifies the format of known_host files (in the section SSH_KNOWN_HOSTS FILE FORMAT):
When performing host authentication, authentication is accepted if any matching line has the proper key; […]
It is permissible (but not recommended) to have several lines or different host keys for the same names. This will inevitably happen when short forms of host names from different domains are put in the file. It is possible that the files contain conflicting information; authentication is accepted if valid information can be found from either file.
Therefore you can just add the host keys of both HA heads to your ~/.ssh/known_hosts or /etc/ssh/ssh_known_hosts:
203.0.113.50 ssh-rsa AAAAB3NzaC1yc2…6Yh5sHpkyIZvXLB
203.0.113.50 ssh-rsa AAAAB3NzaC1yc2…R0RNVnMB6C4plFr
and ssh will connect to both of them without any complaints.
answered 2 days ago
n.st
5,22611843
add a comment |
up vote
1
down vote
up vote
1
down vote
Yes, this is possible.
sshd(8) (from OpenSSH) specifies the format of known_host files (in the section SSH_KNOWN_HOSTS FILE FORMAT):
When performing host authentication, authentication is accepted if any matching line has the proper key; […]
It is permissible (but not recommended) to have several lines or different host keys for the same names. This will inevitably happen when short forms of host names from different domains are put in the file. It is possible that the files contain conflicting information; authentication is accepted if valid information can be found from either file.
Therefore you can just add the host keys of both HA heads to your ~/.ssh/known_hosts or /etc/ssh/ssh_known_hosts:
203.0.113.50 ssh-rsa AAAAB3NzaC1yc2…6Yh5sHpkyIZvXLB
203.0.113.50 ssh-rsa AAAAB3NzaC1yc2…R0RNVnMB6C4plFr
and ssh will connect to both of them without any complaints.
answered 2 days ago
n.st
5,22611843
Yes, this is possible.
sshd(8) (from OpenSSH) specifies the format of known_host files (in the section SSH_KNOWN_HOSTS FILE FORMAT):
When performing host authentication, authentication is accepted if any matching line has the proper key; […]
It is permissible (but not recommended) to have several lines or different host keys for the same names. This will inevitably happen when short forms of host names from different domains are put in the file. It is possible that the files contain conflicting information; authentication is accepted if valid information can be found from either file.
Therefore you can just add the host keys of both HA heads to your ~/.ssh/known_hosts or /etc/ssh/ssh_known_hosts:
203.0.113.50 ssh-rsa AAAAB3NzaC1yc2…6Yh5sHpkyIZvXLB
203.0.113.50 ssh-rsa AAAAB3NzaC1yc2…R0RNVnMB6C4plFr
and ssh will connect to both of them without any complaints.
answered 2 days ago
n.st
5,22611843
answered 2 days ago
n.st
5,22611843
answered 2 days ago
n.st
5,22611843
answered 2 days ago
n.st
5,22611843
5,22611843
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486760%2fis-it-possible-to-allow-multiple-ssh-host-keys-for-the-same-ip%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
