HPE Community
Operating System - HP-UX
1832839 Members
2899 Online
110047 Solutions
New Discussion

Re: SSH question....

 
SOLVED
Go to solution
Coolmar
Esteemed Contributor

‎05-18-2006 03:13 AM

‎05-18-2006 03:13 AM

SSH question....

Hi,

We have some password-less ssh/scp setup between certain accounts on some of our servers for evening batch runs, etc. We are moving our servers to a new datacenter and the IP addresses are changing. Would this affect the already setup password-less ssh/scp scripts? Someone mentioned that it is all IP based.....
0 Kudos
Reply
3 REPLIES 3
Jeff Schussele
Honored Contributor

‎05-18-2006 03:21 AM

‎05-18-2006 03:21 AM

Re: SSH question....

Hi Sally,

It would all depend on how the known_hosts & authorized_keys files are populated.
IF they *only* uses hostnames AND the systems will retain the *same* hostnames AND DNS is changed accordingly then you should be OK.
I generally don't recommend using IPs in those files for exactly this reason.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Ralph Grothe
Honored Contributor

‎05-18-2006 03:22 AM

‎05-18-2006 03:22 AM

Solution

Re: SSH question....

I would assume that the host key entries
in the known_hosts files of your IP changed boxes won't match anymore.
Thus ssh will most likely ask for confirmation of this change on first login.
This is to fend off man in the middle or IP spoofing attacks.
On the other hand the RSA keys haven't changed,
and I would assume they should be still valid.
Madness, thy name is system administration
Reply
Doug O'Leary
Honored Contributor

‎05-18-2006 06:38 AM

‎05-18-2006 06:38 AM

Re: SSH question....

Hey;

The short answer is "it depends on how you're using ssh"...

1. If you're using ssh with public key authentication to do this, (the right way), then you'll have an issue the first time you try to connect. The reason is that the remote system's host key is stored in the ~/.ssh/known_hosts file usually in both hostname and IP address format.

You could, in theory, update that file and replace the old IP address with the new one to circumvent this issue.

Another possibility would be to generate the system wide ssh_known_hosts with the host keys as appropriate - that way the users will never be asked.

2. #1 assuming that you're physically moving your systems. If you're only moving your application, then the host keys will change and you'll go through the connection confirmation conversation the first time you try to connect.

3. There's ways of setting up "rlogin" style access via ssh. This is the wrong way to use ssh. If you're doing that, then you will more than likely have an issue the first time you connect. I'm not all that familiar with this style of usage though.

HTH;

Doug O'Leary

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.