[Linux-cluster] ssh'ing to Cluster IP aliases.
Lon Hohberger
lhh at redhat.com
Thu Apr 24 19:23:48 UTC 2008
On Thu, 2008-04-24 at 14:10 -0500, Bennie Thomas wrote:
> I have a 3-node Cluster set up as 2-nodes active and one passive. I have
> assigned 2 IP Aliases
> to fail over. The problem I am having is; When I ssh to the IP aliases
> the first time it works fine,
> I then failover the IP alias service to the backup node, then try
> ssh'ing to the alias, it fails with man in the middle attack
>
> I know I can go modify .ssh/known_hosts and remove the host key and it
> will work, but if the alias fails back to the
> original node the problem starts all over.
>
> How can I set up ssh to allow this connection. ?
What I usually do is:
- make a copy of the sshd init script and place it somewhere
besides /etc/init.d (/cluster/scripts?)
- change the global sshd config file to bind to a *specific* VIP on the
host.
- create a separate config file for the cluster VIP using different host
keys for the cluster IP address
- copy service-specific sshd script / config / host keys to other
cluster node(s)
- add the copied script as part of the cluster service with the VIP you
want
You'll end up with 2 sshd instances running on the host when the service
is enabled - one for the host's IP with specific keys/etc. for that IP,
and one running for the cluster IP address with its own set of keys.
Because the host keys are distributed between the cluster nodes for this
address, no matter where the cluster IP is, it should work - IP matches
and the keys match :)
-- Lon
More information about the Linux-cluster
mailing list