I have some machines that send ssh commands to a load balancer appliance that is really a pair of machines that can fail over to each other. The ssh keys are set up on both targets, but whenever the active target is changed, ssh issues a warning about a "man-in-the-middle" attack also goes to the log and the console which tends to alarm the operators. Setting the strict host check to no lets the command complete anyway, but is there a way to get rid of the warning completely?
Les Mikesell wrote:
I have some machines that send ssh commands to a load balancer appliance that is really a pair of machines that can fail over to each other. The ssh keys are set up on both targets, but whenever the active target is changed, ssh issues a warning about a "man-in-the-middle" attack also goes to the log and the console which tends to alarm the operators. Setting the strict host check to no lets the command complete anyway, but is there a way to get rid of the warning completely?
If you're having the same keys on both machines: Does the load balancer rewrite the ip addresses of the boxes or does the client see a different ip address for the failover host?
Cheers,
Ralph
Les Mikesell wrote:
I have some machines that send ssh commands to a load balancer appliance that is really a pair of machines that can fail over to each other. The ssh keys are set up on both targets, but whenever the active target is changed, ssh issues a warning about a "man-in-the-middle" attack also goes to the log and the console which tends to alarm the operators. Setting the strict host check to no lets the command complete anyway, but is there a way to get rid of the warning completely?
install the same SERVER private keys (ssh_host_*_key) on both targets. those are different than the public keys that get copied to the client(s).
normally, the server private key gets generated when sshd is installed, and each machine is unique, but since these machines are acting as a cluster that acts as a single server, it makes sense to share keys.