Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

known_hosts(5) man page

  

 
OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


Dave at Yost

Oct 24, 2009, 4:15 PM

Post #1 of 6 (1345 views)
Permalink
known_hosts(5) man page
Here's our situation. Two hosts, s1, s2, each with its own key.

Domain name foo is aliased to either s1 or s2 (each with its own
fixed IP address), depending on which is working correctly at any
given time.

The known_hosts(5) man page, when it comes into existence, should
explain how I would express that the ip-address/key pair from either
s1 or s2 is acceptable when connecting to foo.

I can't find any documentation that suggests if this is possible or
if so, how to do it.

Thanks

Dave


Ref:
http://openssh.org/manual.html
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


rees at umich

Oct 24, 2009, 5:41 PM

Post #2 of 6 (1292 views)
Permalink
Re: known_hosts(5) man page [In reply to]
Given that the hosts are interchangeable from the client's point of view,
shouldn't they both have the same host key?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


bob at proulx

Oct 24, 2009, 11:08 PM

Post #3 of 6 (1283 views)
Permalink
Re: known_hosts(5) man page [In reply to]
Jim Rees wrote:
> Given that the hosts are interchangeable from the client's point of view,
> shouldn't they both have the same host key?

Let me second that. A pool of failover servers should have the same
host key. They aren't individual machines at that point. Like
mirrored disks they are logically mirrors of each other.

Bob
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


Dave at Yost

Oct 24, 2009, 11:44 PM

Post #4 of 6 (1282 views)
Permalink
Re: known_hosts(5) man page [In reply to]
At 12:08 AM -0600 2009-10-25, Bob Proulx wrote:
>Jim Rees wrote:
>> Given that the hosts are interchangeable from the client's point of view,
>> shouldn't they both have the same host key?
>
>Let me second that. A pool of failover servers should have the same
>host key. They aren't individual machines at that point. Like
>mirrored disks they are logically mirrors of each other.

Hard to say. These aren't really a failover or a load-balanced group. It's more like a server plus other machines that can be pressed into service to fill in for the server in a pinch, in addition to the other stuff they do.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


dtucker at zip

Oct 25, 2009, 3:08 AM

Post #5 of 6 (1282 views)
Permalink
Re: known_hosts(5) man page [In reply to]
Dave Yost wrote:
> At 12:08 AM -0600 2009-10-25, Bob Proulx wrote:
>> Jim Rees wrote:
>>> Given that the hosts are interchangeable from the client's point of view,
>>> shouldn't they both have the same host key?
>> Let me second that. A pool of failover servers should have the same
>> host key. They aren't individual machines at that point. Like
>> mirrored disks they are logically mirrors of each other.
>
> Hard to say. These aren't really a failover or a load-balanced group.
> It's more like a server plus other machines that can be pressed into
> service to fill in for the server in a pinch, in addition to the
> other stuff they do.

The main question is: are they under the same administrative control?
The host key protects you against MITM, but by definition the server's
administrator can already conduct a MITM (since the server has access to
the decrypted traffic and the admins have access to the host keys). If
the machines are run by the same admins then you're not giving up much
by using the same host keys.

The other option for clusters (no applicable in this case from your
description) is to have "cluster package" that has a sshd bound to the
floating cluster address with its own host keys and have this sshd move
with the ddress.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


Sergio.Gelato at astro

Oct 26, 2009, 9:38 AM

Post #6 of 6 (1276 views)
Permalink
Re: known_hosts(5) man page [In reply to]
* Darren Tucker [2009-10-25 21:08:38 +1100]:
> Dave Yost wrote:
>> At 12:08 AM -0600 2009-10-25, Bob Proulx wrote:
>>> Jim Rees wrote:
>>>> Given that the hosts are interchangeable from the client's point of view,
>>>> shouldn't they both have the same host key?
>>> Let me second that. A pool of failover servers should have the same
>>> host key. They aren't individual machines at that point. Like
>>> mirrored disks they are logically mirrors of each other.
>>
>> Hard to say. These aren't really a failover or a load-balanced group.
>> It's more like a server plus other machines that can be pressed into
>> service to fill in for the server in a pinch, in addition to the
>> other stuff they do.
>
> The main question is: are they under the same administrative control?
> The host key protects you against MITM, but by definition the server's
> administrator can already conduct a MITM (since the server has access to
> the decrypted traffic and the admins have access to the host keys). If
> the machines are run by the same admins then you're not giving up much
> by using the same host keys.

If they are under the same administrative control but at different security
levels (say, physically accessible workstations vs. a server in a secure
room) sharing the host key may be riskier than you describe.

> The other option for clusters (no applicable in this case from your
> description) is to have "cluster package" that has a sshd bound to the
> floating cluster address with its own host keys and have this sshd move
> with the ddress.

I see that with GSS key exchange (which unfortunately isn't a standard
part of OpenSSH yet, only a popular and widely-deployed patch) and a
DNS CNAME RR the GSSAPI library (MIT 1.6 in my test) resolves the CNAME
before it asks the KDC for a ticket. Then everything is fine, since the
RSA/DSA host keys are ignored and the server is authenticated by GSS instead.

(I suppose one could likewise make OpenSSH traverse CNAMEs before the
known_hosts lookup, but somehow I don't think you'll find the added
complexity worthwhile.)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.