I have some machines that send ssh commands to a load balancer appliance
that is really a pair of machines that can fail over to each other. The
ssh keys are set up on both targets, but whenever the active target is
changed, ssh issues a warning about a "man-in-the-middle" attack also
goes to the log and the console which tends to alarm the operators.
Setting the strict host check to no lets the command complete anyway,
but is there a way to get rid of the warning completely?
--
Les Mikesell
lesmikesell at gmail.com
Les Mikesell wrote:> I have some machines that send ssh commands to a load balancer appliance > that is really a pair of machines that can fail over to each other. The > ssh keys are set up on both targets, but whenever the active target is > changed, ssh issues a warning about a "man-in-the-middle" attack also > goes to the log and the console which tends to alarm the operators. > Setting the strict host check to no lets the command complete anyway, > but is there a way to get rid of the warning completely?If you're having the same keys on both machines: Does the load balancer rewrite the ip addresses of the boxes or does the client see a different ip address for the failover host? Cheers, Ralph -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20070506/988b440d/attachment-0001.sig>
Les Mikesell wrote:> I have some machines that send ssh commands to a load balancer > appliance that is really a pair of machines that can fail over to each > other. The ssh keys are set up on both targets, but whenever the > active target is changed, ssh issues a warning about a > "man-in-the-middle" attack also goes to the log and the console which > tends to alarm the operators. Setting the strict host check to no lets > the command complete anyway, but is there a way to get rid of the > warning completely? >install the same SERVER private keys (ssh_host_*_key) on both targets. those are different than the public keys that get copied to the client(s). normally, the server private key gets generated when sshd is installed, and each machine is unique, but since these machines are acting as a cluster that acts as a single server, it makes sense to share keys.