From owner-freebsd-questions@FreeBSD.ORG Mon Apr 28 09:38:05 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CBBA1065678 for ; Mon, 28 Apr 2008 09:38:05 +0000 (UTC) (envelope-from mexas@bristol.ac.uk) Received: from diri.bris.ac.uk (diri.bris.ac.uk [137.222.10.112]) by mx1.freebsd.org (Postfix) with ESMTP id F2EF08FC1E for ; Mon, 28 Apr 2008 09:38:04 +0000 (UTC) (envelope-from mexas@bristol.ac.uk) Received: from seis.bris.ac.uk ([137.222.10.93]) by diri.bris.ac.uk with esmtp (Exim 4.67) (envelope-from ) id 1JqPo9-000087-2W; Mon, 28 Apr 2008 10:38:03 +0100 Received: from mech-aslap33.men.bris.ac.uk ([137.222.184.33]) by seis.bris.ac.uk with esmtp (Exim 4.67) (envelope-from ) id 1JqPo8-0001hl-BK; Mon, 28 Apr 2008 10:38:00 +0100 Received: from mech-aslap33.men.bris.ac.uk (localhost [127.0.0.1]) by mech-aslap33.men.bris.ac.uk (8.14.2/8.14.2) with ESMTP id m3S9bxQI078270; Mon, 28 Apr 2008 10:37:59 +0100 (BST) (envelope-from mexas@bristol.ac.uk) Received: (from mexas@localhost) by mech-aslap33.men.bris.ac.uk (8.14.2/8.14.2/Submit) id m3S9bxuC078269; Mon, 28 Apr 2008 10:37:59 +0100 (BST) (envelope-from mexas@bristol.ac.uk) X-Authentication-Warning: mech-aslap33.men.bris.ac.uk: mexas set sender to mexas@bristol.ac.uk using -f Date: Mon, 28 Apr 2008 10:37:59 +0100 From: Anton Shterenlikht To: Chuck Swiger Message-ID: <20080428093759.GA71558@mech-aslap33.men.bris.ac.uk> Mail-Followup-To: Chuck Swiger , freebsd-questions@freebsd.org References: <20080425160939.GA9863@mech-aslap33.men.bris.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Spam-Score: -1.4 X-Spam-Level: - Cc: freebsd-questions@freebsd.org Subject: Re: ssh StrictHostKeyChecking=no refuse connection when key changed X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2008 09:38:05 -0000 On Fri, Apr 25, 2008 at 09:37:13AM -0700, Chuck Swiger wrote: > On Apr 25, 2008, at 9:09 AM, Anton Shterenlikht wrote: > >Is it normal that StrictHostKeyChecking=no in .ssh/config > >still refuses ssh connection when host ID has changed. > > > >I've a setup in which host ids change frequently. How > >can I setup ssh so that it ignores key change. > > You'd be better off fixing whatever it is that is making your host IDs > change, but I suppose you could also try to create a zero-length > known_hosts file, and keep it that way via: > > chflags uchg ~/.ssh/known_hosts > > You might also try to automate finding the current valid hostkeys via > ssh-keyscan. Chuck, perhaps I should explain better what's going on. I've a VMS cluster behind a FBSD frontend, acting as a router and a firewall. (Don't ask why.. the Uni are not happy to connect VMS to the local network directly. Just because they haven't been using it for 10 year, they think it is not secure - what nonsence, but nevermind.) I access VMS cluster using ssh with port forwarding. In case a node in my VMS cluster goes down, its IP is automatically given to another alive VMS node - a VMS cluster feature. For example: Imagine the VMS cluster consisting of 2 nodes - Node1 and Node2. The IP are: Node1 10.10.10.1 (failover to 10.10.10.2) Node2 10.10.10.2 (failover to 10.10.10.1) and in ipnat.rules: rdr dc0 xx.xx.xx.xx port xxxxx -> 10.10.10.1 port 22 This works fine until Node1 is down, in which case the cluster software directs all connections to 10.10.10.1 to Node2. Since its key doesn't match what's in known_hosts, the connection is refused. At present I tune the VMS cluster and reboot individual nodes frequently. I'd like to be able to tell ssh to ignore key mismatch at this stage. many thanks anton -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 928 8233 Fax: +44 (0)117 929 4423