When you ssh to a specific host, the remote host's key is put into ~/.ssh/known_hosts (by default). When you next connect to that host, ssh checks the host key to verify that you're talking to the same host you were before. If the host key has changed, ssh screams about a potential man in the middle attack.
That's exactly what you want to happen in normal circumstances. However, what happens if you're connecting to a clustered IP address that can switch between hosts. As soon as the package fails over to another node, the host key will change and ssh will scream.
Some have suggested ensuring the nodes of a cluster share the same host key. However, that weakens the security of the cluster. What happens if you want to ensure you're talking to a specific host? ssh won't be able to verify that for you. While this option would work, there is a better way
The trick is to use hostkeyaliases in the ~/.ssh/config file and the ~/.ssh/known_hosts file<./p>
First, configure ~/.ssh/config. For example:
host mjp hostname sapmjpdb.myco.com user oracle HostKeyAlias MJP
The known_hosts entry format is:
${host},${ip},${aliases},${rest-o-key}
So, you can have:
node1,192.168.12.10,MJP ssh-rsa AAA[[snip]] node2,192.168.12.12,MJP ssh-rsa AAA[[snip]]
Once all that's in place, you can:
ssh mjp ls -ld /tmp
and have it work regardless of the host on which sapmjpdb is currently running
| Document: | |
| URL: | |
| Last updated: |