topic Re: SSH over virtual IPs in Operating System - HP-UX

SSH over virtual IPs

Pradep — Wed, 16 Sep 2009 15:24:34 GMT

hi,
i am using SSH host-based password less authentication for cluster.
cluster node physical IP (ssh clients) cnB1 and cnB2 independently connect to a SSH server. I had to put physical IP/hostname of cluster nodes in server. authentication doesnot work, if i put package IP of the cluster in ssh_known_hosts in /etc/opt/ssh of the SSH server. its bit difficult to manage so many physical IP and keys.
how can i make authentication work over virtual IP of cluster.
thanks.

Re: SSH over virtual IPs

Matti_Kurkela — Wed, 16 Sep 2009 19:06:40 GMT

When the SSH client moves between cluster nodes:

ssh -o BindAddress=IP.address.of.package

If the outgoing SSH connections are made by a particular user account and the home directory of that user is included on the package disk(s), put the BindAddress= option to the ~/.ssh/config file of that user.

The same "-o BindAddress=1.2.3.4" option can be used with scp and sftp too.

-----------

When the SSH server moves between cluster nodes:

The cluster nodes are supposed to generally look like multiple incarnations of the same host when viewed from the outside of the cluster, right?

This is a situation where it might be useful to copy the SSH host keys (/opt/ssh/etc/ssh_host_*_key* on HP SSH, /etc/ssh/ssh_host_*_key*) from one node to all other nodes, so that each node of the cluster uses the same set of host keys.

This makes the client receive the same SSH host key when contacting the packet IP address, no matter which node the package is running on.

MK

Re: SSH over virtual IPs

Olivier Masse — Thu, 17 Sep 2009 01:05:31 GMT

I don't like the solution of having identical host keys for two servers, even if they're part of a cluster. What I do, which might be considered overkill, is run an SSH service on an alternate port, with a different sshd_config file, and it references its own host key which is linked to the virtual IP only. I go as far as putting the keyfile in a filesystem with is part of the package so it moves with the package from one node to another.

Re: SSH over virtual IPs

Pradep — Thu, 17 Sep 2009 01:38:48 GMT

the scenario is pkg is not moved to another node. but still ssh dont authenticate if the enter the pkg IP in SSH server /etc/opt/ssh/ssh_known_hosts files
it only works if the enter physical client hostname in the server side file.

actually my question was why SSH needs to work on physical client IP address entries in ssh_known_hosts file of the SSH server.

eg:-

this entry dont work
# cat ssh_known_hosts
phyClienthost.com ssh-dss AAAAB3NzaC....

the SSH server dont authenticate when entry on SSH server side is

# cat ssh_known_hosts
pkgClienthost.com ssh-dss AAAAB3NzaC....

similarly i have to put, this entry for host based authentication equivalency.

# cat shosts.equiv
phyClienthost.com root
and pkgClienthost.com root dont work.