ssh StrictHostKeyChecking=no refuse connection when key changed
Anton Shterenlikht
mexas at bristol.ac.uk
Mon Apr 28 09:38:05 UTC 2008
On Fri, Apr 25, 2008 at 09:37:13AM -0700, Chuck Swiger wrote:
> On Apr 25, 2008, at 9:09 AM, Anton Shterenlikht wrote:
> >Is it normal that StrictHostKeyChecking=no in .ssh/config
> >still refuses ssh connection when host ID has changed.
> >
> >I've a setup in which host ids change frequently. How
> >can I setup ssh so that it ignores key change.
>
> You'd be better off fixing whatever it is that is making your host IDs
> change, but I suppose you could also try to create a zero-length
> known_hosts file, and keep it that way via:
>
> chflags uchg ~/.ssh/known_hosts
>
> You might also try to automate finding the current valid hostkeys via
> ssh-keyscan.
Chuck, perhaps I should explain better what's going on.
I've a VMS cluster behind a FBSD frontend, acting as a router and
a firewall. (Don't ask why.. the Uni are not happy to connect VMS
to the local network directly. Just because they haven't been using
it for 10 year, they think it is not secure - what nonsence, but
nevermind.)
I access VMS cluster using ssh with port forwarding. In case a node
in my VMS cluster goes down, its IP is automatically given to another
alive VMS node - a VMS cluster feature. For example:
Imagine the VMS cluster consisting of 2 nodes - Node1 and Node2.
The IP are:
Node1 10.10.10.1 (failover to 10.10.10.2)
Node2 10.10.10.2 (failover to 10.10.10.1)
and in ipnat.rules:
rdr dc0 xx.xx.xx.xx port xxxxx -> 10.10.10.1 port 22
This works fine until Node1 is down, in which case the cluster
software directs all connections to 10.10.10.1 to Node2. Since
its key doesn't match what's in known_hosts, the connection is
refused.
At present I tune the VMS cluster and reboot individual nodes
frequently. I'd like to be able to tell ssh to ignore key mismatch
at this stage.
many thanks
anton
--
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 928 8233
Fax: +44 (0)117 929 4423
More information about the freebsd-questions
mailing list